The detection identifies potential MassLogger malware distribution through two malicious URLs linked to URLhaus, indicating an adversary may be deploying stealthy, persistent malware to exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss occurs.
IOC Summary
Threat: MassLogger Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://104.249.10.169/img_095152.png | offline | malware_download | 2026-06-03 |
hxxps://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/rwFAA | offline | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: MassLogger
let malicious_domains = dynamic(["icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev", "104.249.10.169"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev", "104.249.10.169"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update script that downloads a URLhaus-listed URL as part of a known software update process.
Filter/Exclusion: Exclude URLs associated with known software update servers (e.g., updates.microsoft.com, download.oracle.com) or filter by domain whitelists used for patch management.
Scenario: Admin Task for Log Collection
Description: An administrator uses a tool like LogParser or PowerShell to collect logs from remote servers, which may involve downloading a MassLogger URL as part of a log aggregation setup.
Filter/Exclusion: Exclude URLs that match internal log collection tools or IP ranges used by internal monitoring systems (e.g., 10.0.0.0/8).
Scenario: Automated Backup Tool Execution
Description: A backup tool like Veeam or Commvault may temporarily download a URL from a trusted source (e.g., a cloud storage bucket) during a backup process, which is mistakenly flagged as a MassLogger URL.
Filter/Exclusion: Exclude URLs from known backup storage providers or filter by the Veeam or Commvault internal IP ranges and domains.
Scenario: Internal Red Team Exercise
Description: During a red team simulation, a test payload is deployed using a URL that is flagged as a MassLogger URL by the detection rule.
Filter/Exclusion: Exclude URLs that match internal red team testing domains or IP ranges used during security training exercises.
Scenario: Third-Party Service Integration
Description: A third-party service like Datadog or Splunk is configured to receive alerts from internal systems, and the integration might use a URL that is falsely identified as a MassLogger URL.
*Filter/