The ThreatFox: Evilginx IOCs rule detects potential adversary activity involving malicious infrastructure associated with the Evilginx campaign, which is used to intercept credentials through fake login pages. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential theft attempts early in the attack lifecycle.
IOC Summary
Malware Family: Evilginx Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 23[.]27[.]168[.]162:2850 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 153[.]75[.]232[.]207:4000 | botnet_cc | 2026-05-26 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["153.75.232.207", "23.27.168.162"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["153.75.232.207", "23.27.168.162"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using curl to Fetch Internal Reports
Description: A scheduled job runs curl to fetch internal compliance reports from a secure internal server.
Filter/Exclusion: Exclude traffic to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or specific internal URLs (e.g., https://internal-reports.example.com).
Scenario: Admin Task Using wget to Download a Known Safe Update File
Description: An admin uses wget to download a known safe update file from a trusted internal repository.
Filter/Exclusion: Exclude traffic to internal repositories (e.g., http://repo.example.com/update-*.tar.gz) or files with known hashes (e.g., md5sum: 1234567890abcdef1234567890abcdef).
Scenario: Log Collection Agent Using scp to Transfer Logs to a Central Server
Description: A log collection agent uses scp to transfer logs to a central logging server.
Filter/Exclusion: Exclude traffic to the central logging server (e.g., scp -r /var/log/ user@logserver:/var/log/) or specific log directories (e.g., /var/log/).
Scenario: DevOps Pipeline Using git to Pull from a Secure Internal Git Server
Description: A CI/CD pipeline pulls code from a secure internal Git server using git pull.
Filter/Exclusion: Exclude traffic to internal Git servers (e.g., [email protected]:repo.git) or specific branches (e.g., `