The ThreatFox: magecart IOCs rule detects potential Magecart-related malicious activity by identifying known compromised third-party scripts and domains associated with credential theft and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate supply chain attacks that could compromise user data and application integrity.
IOC Summary
Malware Family: magecart Total IOCs: 41 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | stylehailens.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleouresen.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylehersi.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleember.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylestyk.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleoutspin.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylegamingg.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylehelloman.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylegamagee.com | botnet_cc | 2026-05-28 | 100% |
| domain | styletropik.com | botnet_cc | 2026-05-28 | 100% |
| domain | styletimeset.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylerunningg.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylerightnoww.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleteleport.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylekanions.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleleftt.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleconnectorr.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylehipp.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylecaving.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleshort.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleranked.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylejunglee.com | botnet_cc | 2026-05-28 | 100% |
| domain | styleussles.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylehotrod.com | botnet_cc | 2026-05-28 | 100% |
| domain | stylewify.com | botnet_cc | 2026-05-28 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - magecart
let malicious_domains = dynamic(["stylehailens.com", "styleouresen.com", "stylehersi.com", "styleember.com", "stylestyk.com", "styleoutspin.com", "stylegamingg.com", "stylehelloman.com", "stylegamagee.com", "styletropik.com", "styletimeset.com", "stylerunningg.com", "stylerightnoww.com", "styleteleport.com", "stylekanions.com", "styleleftt.com", "styleconnectorr.com", "stylehipp.com", "stylecaving.com", "styleshort.com", "styleranked.com", "stylejunglee.com", "styleussles.com", "stylehotrod.com", "stylewify.com", "styledupstep.com", "styleanimal.com", "streetfleshroyalgaming.top", "styleferry.com", "stylebonus.com", "stylerazorr.com", "styletumor.com", "stylecholera.com", "styletray.com", "stylepenalty.com", "stylekay.com", "styleboosted.com", "styledespair.com", "smartpeoplework.info", "blueoceanbreeze.org", "sunnydaycoffees.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for updating threat intelligence feeds
Filter/Exclusion: Exclude any activity related to threatfox or threat-intel in the process.name field, or filter by process.args containing update or sync.
Scenario: System administrator using the threatfox tool for manual IOC lookup
Filter/Exclusion: Exclude processes where process.name is threatfox or python with --help or --version arguments, or where process.args includes lookup or search.
Scenario: Automated security tool performing routine IOC validation
Filter/Exclusion: Exclude processes associated with known security tools like OSSEC, CrowdStrike, or SentinelOne that are performing IOC validation, using process.name or process.args to identify these tools.
Scenario: CI/CD pipeline executing a script that queries threat intelligence databases
Filter/Exclusion: Exclude processes running in a CI/CD environment (e.g., Jenkins, GitHub Actions, GitLab CI) or where process.args includes ci, pipeline, or build.
Scenario: Regular system maintenance task involving IOC checks for compliance
Filter/Exclusion: Exclude tasks with process.name like task scheduler or cron, and filter by process.args containing compliance, audit, or check.