Adversaries may be using unknown malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or unmonitored endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: unknown Total URLs: 12 Active URLs: 12
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://ostekStatmen.net/tracker.js | online | malware_download | 2026-05-17 |
hxxps://infoworkerOne.org/tracker.js | online | malware_download | 2026-05-17 |
hxxps://mstopsai.com/tracker.js | online | malware_download | 2026-05-17 |
hxxps://monstersStat.com/tracker.js | online | malware_download | 2026-05-17 |
hxxps://masterklass.net/tracker.js | online | malware_download | 2026-05-17 |
hxxps://globalSstat.com/tracker.js | online | malware_download | 2026-05-17 |
hxxps://merkureEnv.net/tracker.js | online | malware_download | 2026-05-17 |
hxxps://globalSstat.org/tracker.js | online | malware_download | 2026-05-17 |
hxxps://jobworkNY.com/tracker.js | online | malware_download | 2026-05-17 |
hxxps://maxStatesUS.ORG/tracker.js | online | malware_download | 2026-05-17 |
hxxps://infoworkerOne.com/tracker.js | online | malware_download | 2026-05-17 |
hxxps://sorrystartstat1.net/tracker.js | online | malware_download | 2026-05-17 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: unknown
let malicious_domains = dynamic(["infoworkerOne.org", "jobworkNY.com", "globalSstat.org", "monstersStat.com", "mstopsai.com", "merkureEnv.net", "sorrystartstat1.net", "globalSstat.com", "infoworkerOne.com", "maxStatesUS.ORG", "ostekStatmen.net", "masterklass.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["infoworkerOne.org", "jobworkNY.com", "globalSstat.org", "monstersStat.com", "mstopsai.com", "merkureEnv.net", "sorrystartstat1.net", "globalSstat.com", "infoworkerOne.com", "maxStatesUS.ORG", "ostekStatmen.net", "masterklass.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by visiting several short URLs to verify functionality.
Filter/Exclusion: Exclude URLs that match the domain of the internal URL shortener (e.g., short.url.company.com).
Scenario: A scheduled job runs a script that fetches and processes public vulnerability databases (e.g., CVE details) from external sources, including URLs tagged as malicious by URLhaus.
Filter/Exclusion: Exclude URLs that match known public security database domains (e.g., nvd.nist.gov, cve.mitre.org).
Scenario: A user is accessing a legitimate phishing awareness training page that mimics a malicious URL structure to educate employees.
Filter/Exclusion: Exclude URLs that contain the training domain (e.g., training.security.company.com or phishing-training.example.com).
Scenario: A DevOps pipeline is deploying a new application and temporarily uses a staging URL that is flagged as malicious during a security scan.
Filter/Exclusion: Exclude URLs that include the staging environment domain (e.g., staging.app.company.com or dev.example.com).
Scenario: A security tool (e.g., CrowdStrike Falcon) is performing a network scan and reports URLs as malicious due to their structure, even though they are part of a legitimate internal monitoring system.
Filter/Exclusion: Exclude URLs that match the internal monitoring system domain (e.g., monitoring.internal.company.net).