Adversaries may be using fbi.gov domain URLs to host malicious payloads and execute phishing campaigns. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of high-profile targets.
IOC Summary
Threat: fbi.gov Total URLs: 11 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.141.26.218/main_sh4 | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_mips | offline | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_m68k | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_arm6 | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_ppc | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_arm | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_arm7 | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_arm5 | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_x86 | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_mpsl | online | malware_download | 2026-05-28 |
hxxp://45.141.26.218/main_x86_64 | online | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: fbi.gov
let malicious_domains = dynamic(["45.141.26.218"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.141.26.218"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching process that includes a URLhaus-listed fbi.gov endpoint as part of a trusted software repository.
Filter/Exclusion: Exclude URLs matching fbi.gov/update or fbi.gov/patch using a regex pattern like fbi\.gov\/(update|patch) in the detection logic.
Scenario: A scheduled job for automated compliance reporting that accesses a fbi.gov URL to retrieve regulatory information.
Filter/Exclusion: Exclude URLs containing /compliance or /reporting using a regex pattern like fbi\.gov\/(compliance|reporting).
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender ATP is configured to query fbi.gov for threat intelligence updates.
Filter/Exclusion: Exclude URLs that match the known threat intel endpoints, such as fbi.gov/threatintel or fbi.gov/feeds.
Scenario: An admin task using PowerShell or Python scripts to fetch public documentation from fbi.gov for internal training purposes.
Filter/Exclusion: Exclude URLs containing /training or /docs using a regex pattern like fbi\.gov\/(training|docs).
Scenario: A Windows Update or WSUS server that occasionally accesses fbi.gov as part of a third-party tool integration for policy enforcement.
Filter/Exclusion: Exclude URLs that match fbi.gov/windowsupdate or fbi.gov/wsus using a regex pattern like fbi\.gov\/(windowsupdate|wsus).