The detection identifies potential adversary activity involving malicious URLs associated with the BillGates campaign, which could be used to deliver malware or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging these URLs.
IOC Summary
Threat: BillGates Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://195.177.94.68:34541/t/kal64 | online | malware_download | 2026-05-06 |
hxxp://195.177.94.68:34541/s/kal64 | online | malware_download | 2026-05-06 |
hxxp://195.177.94.68:34541/t/kswpad | online | malware_download | 2026-05-06 |
hxxp://195.177.94.68:34541/t/kal32 | online | malware_download | 2026-05-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: BillGates
let malicious_domains = dynamic(["195.177.94.68"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["195.177.94.68"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener tool (e.g., Bitly) that is configured to redirect to a legitimate Microsoft website (e.g., https://www.microsoft.com).
Filter/Exclusion: Exclude URLs containing microsoft.com or microsoft.com in the domain field.
Scenario: A scheduled job runs a script to fetch updates from a Microsoft security portal (e.g., https://www.microsoft.com/security/) as part of a patch management process.
Filter/Exclusion: Exclude URLs that match known Microsoft security update endpoints (e.g., https://www.microsoft.com/security/).
Scenario: An IT admin is using Microsoft Intune to deploy a policy and is accessing a Microsoft endpoint (e.g., https://admin.microsoft.com) to configure settings.
Filter/Exclusion: Exclude URLs that match Microsoft admin portal endpoints (e.g., admin.microsoft.com).
Scenario: A user is accessing a phishing simulation tool (e.g., KnowBe4) that uses a Microsoft-hosted URL to simulate a phishing attack.
Filter/Exclusion: Exclude URLs that match known phishing simulation domains (e.g., knowbe4.com, phishsim.com).
Scenario: A backup job is running and accessing a Microsoft OneDrive URL (e.g., https://onedrive.live.com) to sync files.
Filter/Exclusion: Exclude URLs that match OneDrive or Microsoft cloud storage endpoints (e.g., onedrive.live.com, microsoft.com).