The detection identifies potential adversary activity involving malicious URLs associated with the ocx tag, which is linked to malware distribution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging these URLs to deliver malicious payloads.
IOC Summary
Threat: ocx Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://65.20.102.161:8080/cloud/mscomctl.ocx | online | malware_download | 2026-05-21 |
hxxp://65.20.102.161:8080/cloud/mscom.ocx | online | malware_download | 2026-05-21 |
hxxp://65.20.102.161:8080/cloud/712419111124.ocx | online | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ocx
let malicious_domains = dynamic(["65.20.102.161"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["65.20.102.161"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a security tool by uploading a known benign .ocx file to a sandboxing platform like Cuckoo Sandbox for analysis.
Filter/Exclusion: Exclude URLs that are associated with Cuckoo Sandbox or any internal sandboxing infrastructure.
Scenario: A scheduled job runs Microsoft Baseline Security Analyzer (MBSA) to scan for outdated software and generates a report that includes a legitimate .ocx file used by a supported application.
Filter/Exclusion: Exclude URLs that match the internal IP range or domain of the MBSA server or any internal scanning infrastructure.
Scenario: An IT helpdesk technician is using Microsoft System Center Configuration Manager (SCCM) to deploy a patch that includes a .ocx file as part of a software update.
Filter/Exclusion: Exclude URLs that are part of the SCCM distribution point or any internal patch management system.
Scenario: A developer is using Visual Studio to debug a legacy application that references a local .ocx file, and the file is accessed via a local UNC path.
Filter/Exclusion: Exclude URLs that start with file:// or are internal network paths used by Visual Studio or development tools.
Scenario: A user is accessing a Microsoft Office add-in (.ocx) hosted on an internal SharePoint site for collaboration purposes.
Filter/Exclusion: Exclude URLs that are within the internal SharePoint domain or any internal collaboration platform used by the organization.