The hypothesis is that adversaries are using ASCII-encoded malicious URLs to bypass standard URL filtering and deliver payloads, leveraging URLhaus intelligence to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: ascii Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://cloudaryx.cloud/online/file/Request-for-Quotation.js | online | malware_download | 2026-06-03 |
hxxps://pub-8dfc53689d2141dd8655689c85a38c6c.r2.dev/Tekstlinie203.jpb | online | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ascii
let malicious_domains = dynamic(["cloudaryx.cloud", "pub-8dfc53689d2141dd8655689c85a38c6c.r2.dev"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["cloudaryx.cloud", "pub-8dfc53689d2141dd8655689c85a38c6c.r2.dev"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify link functionality.
Filter/Exclusion: Exclude URLs containing known shortening domains (e.g., bit.ly, tinyurl.com, ow.ly) or filter by user-agent indicating administrative tasks.
Scenario: A scheduled job runs a script that downloads a legitimate software update from a trusted source (e.g., Microsoft Update) using a URL that matches the pattern.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., windowsupdate.microsoft.com) or use a whitelist of approved update domains.
Scenario: An IT team is performing a security audit and manually tests a phishing URL (e.g., using a sandboxed environment) to assess threat intelligence.
Filter/Exclusion: Exclude URLs that contain the word “test” or “phishing” in the domain or path, or filter by source IP from internal security testing ranges.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins) to fetch dependencies from a public repository (e.g., GitHub) using a URL that matches the rule.
Filter/Exclusion: Exclude URLs that include github.com or gitlab.com, or filter by HTTP method (e.g., GET for legitimate asset retrieval).
Scenario: A user is accessing a legitimate enterprise portal (e.g., Okta) that uses a URL with ASCII characters in the query string for session management.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or use known enterprise authentication domains (e.g., okta.com, auth0.com).