The hypothesis is that the detected URLs are associated with the IP 94-183-232-247, which is linked to malicious activity in URLhaus, indicating potential command and control or data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before it leads to data breaches or system compromise.
IOC Summary
Threat: 94-183-232-247 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://94.183.232.247/mpsl | online | malware_download | 2026-06-22 |
hxxp://94.183.232.247/spc | online | malware_download | 2026-06-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 94-183-232-247
let malicious_domains = dynamic(["94.183.232.247"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["94.183.232.247"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a trusted source, which happens to resolve to the IP 94-183-232-247.
Filter/Exclusion: Exclude traffic originating from administrative accounts or involving PowerShell scripts with known update URLs.
Scenario: A scheduled backup job using rsync or Veeam is configured to transfer data over a network that routes through the IP 94-183-232-247.
Filter/Exclusion: Exclude traffic associated with backup processes or specific IP ranges used by internal backup infrastructure.
Scenario: A remote management tool like TeamViewer or AnyDesk is connecting through a proxy server that routes through the IP 94-183-232-247.
Filter/Exclusion: Exclude traffic from known remote access tools or connections initiated from trusted IP ranges.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is pulling code from a repository that temporarily uses a CDN or proxy server resolving to 94-183-232-247.
Filter/Exclusion: Exclude traffic from CI/CD systems or known infrastructure-as-code tools.
Scenario: An endpoint protection tool (e.g., CrowdStrike, SentinelOne) is performing a network scan or signature update that routes through the IP 94-183-232-247.
Filter/Exclusion: Exclude traffic from known endpoint security tools or system update processes.