Threat Hunting with IP Blocklists: Turning Passive Filters into Active Intelligence

A Monday Morning Incident That Started with a Single IP

A security analyst at a mid-sized financial services firm receives a low-priority alert at 8:14 AM. An internal workstation made an outbound connection to an IP address flagged in an external blocklist. Most teams would dismiss this as a false positive, block the IP at the firewall, and move on. This team digs deeper. Within two hours, they trace the connection back to a compromised contractor laptop that had been silently beaconing to a command-and-control server for eleven days. The blocklist entry was the breadcrumb. The threat hunt was what revealed the full picture.

This is the core premise of using IP blocklists for threat hunting: they are not endpoints in your workflow, they are starting points. Too many organizations deploy blocklists as purely defensive, set-and-forget tools. The real operational value comes from treating every blocklist hit as a hypothesis worth investigating.

Understanding What IP Blocklists Actually Contain

Before building a threat hunting workflow around blocklists, you need to understand what you are working with. Not all blocklists are equivalent. They vary significantly in how entries are added, how long they persist, how frequently they are updated, and what types of abuse they track.

The major categories of IP blocklist data include:

• Spam and email abuse sources: IPs observed sending bulk or phishing emails. These are relevant beyond email security, since attackers frequently reuse infrastructure.
• Brute force and credential stuffing sources: IPs that have targeted SSH, RDP, web login forms, or APIs at scale.
• Botnet C2 nodes and infected hosts: IPs serving as command-and-control servers or confirmed compromised endpoints participating in botnets.
• Scanning and reconnaissance IPs: Hosts conducting port scans, vulnerability probes, or web crawling at volumes consistent with malicious intent.
• Tor exit nodes and anonymization infrastructure: These are not inherently malicious, but frequently appear in attack chains.
• Malware distribution points: IPs hosting payloads, dropper URLs, or acting as staging servers.

Each category implies different attacker behaviors and different hunting hypotheses. An IP flagged for SSH brute force tells you something different than one associated with malware distribution. Treat those signals differently in your analysis pipeline.

Building the Hunting Infrastructure

Effective IP blocklist hunting requires integrating blocklist feeds into your existing visibility stack rather than relying solely on perimeter enforcement. If the only place you consume blocklist data is at your firewall, you are missing a large portion of your observable attack surface.

Where to Enrich and Query

Your SIEM is the natural home for blocklist correlation. Ingest blocklist feeds as threat intelligence lookups and run continuous correlation against your network flow logs, DNS query logs, proxy logs, and endpoint telemetry. The goal is to surface historical matches, not just future ones. When a new IP is added to a high-confidence feed, immediately query your log archives to see whether that IP appeared in your environment before the blocklist entry was created.

Tools like Elastic SIEM, Splunk Enterprise Security, and Microsoft Sentinel all support threat intelligence platform (TIP) integrations or native lookup functionality. At minimum, you should be enriching your logs with blocklist status at query time, not just at ingestion time.

For teams using network detection and response (NDR) tools, configure your platform to generate hunting leads from blocklist hits rather than automatic blocks. A block without a record of what happened before it is a missed hunting opportunity.

Feed Selection and Freshness

Operate multiple feeds simultaneously and categorize them by confidence and context. A feed from a reputable threat intelligence provider with detailed attribution carries more weight than an auto-generated list with no context. Some feeds worth incorporating include:

• AbuseIPDB for community-reported abuse
• Emerging Threats IP Blocklists for malware-related infrastructure
• Spamhaus DROP and EDROP for hijacked IP space
• CISA Known Exploited Vulnerability-related IP indicators when published
• Commercial TIP feeds for higher-confidence, lower-noise data

Feed freshness matters enormously. An IP that was a C2 server six months ago may now be a legitimate cloud resource reassigned to a different customer. Before acting on a blocklist hit, check the age of the entry. Entries older than 30 days should carry reduced confidence unless the feed specifically indicates persistent malicious activity.

The Hunting Workflow: From Hit to Hypothesis to Finding

When a blocklist hit surfaces in your environment, the structured hunting process looks like this:

Step 1: Characterize the Hit

Gather context immediately. What type of abuse does this IP appear on blocklists for? How many feeds flag it? What is the first-seen and last-seen date on the blocklist? What ASN does it belong to? Is it a cloud hosting provider, a residential ISP, or dedicated hosting infrastructure?

An IP from a known bulletproof hosting provider that appears on five feeds for C2 activity warrants a different urgency level than a residential IP flagged once for a spam report two months ago.

Step 2: Map Internal Exposure

Query your logs for every internal host that communicated with this IP. Go back as far as your retention allows. Document the volume of connections, the protocols used, the timing patterns, and whether the communication was inbound or outbound. Outbound connections from internal hosts to a C2-flagged IP are far more significant than inbound scanning attempts that were blocked at the perimeter.

Pay specific attention to timing. Beaconing behavior produces regular interval connections that stand out in traffic volume charts. A host connecting to the same external IP every four minutes at consistent byte counts is a classic C2 beacon pattern, and a blocklist hit on that IP is what often surfaces it.

Step 3: Pivot from the IP to the Broader Campaign

A single IP is rarely the whole story. Once you have confirmed suspicious activity involving a flagged IP, begin lateral pivots:

• Look up the ASN and identify other IPs in the same subnet or hosting range that may appear in your logs
• Query your DNS logs for any domains that resolved to this IP or were queried around the same time from the same host
• Cross-reference the IP against malware sandbox reports to identify specific malware families associated with it
• Search for related indicators in passive DNS databases to uncover historically associated domains

This pivot process transforms a blocklist hit into a full indicator cluster. The WSzero DDoS family, now reportedly in its fourth version and spreading via 21 known vulnerabilities, is a strong example of why this matters. A single C2 IP from an early WSzero campaign, if caught in your environment, should immediately trigger a search for all associated infrastructure across your logs, not just a block of that one address.

Step 4: Assess Internal Host Behavior

For any internal host confirmed to have communicated with a blocklist-flagged IP, initiate endpoint-level investigation. Pull process execution logs, network socket history, and any EDR telemetry. Look for:

• Processes making network connections that have no legitimate reason to communicate externally
• Scheduled tasks or persistence mechanisms created around the time of first contact with the flagged IP
• Lateral movement attempts from the affected host to other internal systems
• Credential access events, particularly LSASS memory access or registry reads of credential stores

The Robinhood account creation flaw that was recently abused to send phishing emails illustrates how attackers chain initial access with downstream infrastructure abuse. A blocklist hit on a sending IP might be the first observable signal, but the real damage comes from what happens inside the perimeter once a user interacts with that phishing content.

Prioritization Frameworks: Not All Hits Are Equal

Operating teams face alert fatigue. A practical scoring approach for blocklist hits helps focus analyst attention on the signals most likely to represent real intrusions.

Consider weighting blocklist hits on a composite score that factors in:

• Feed confidence and reputation: A hit on a high-quality commercial feed scores higher than an anonymous community report
• Number of independent feeds: An IP appearing on three or more independent feeds scores significantly higher
• Entry age: Recent entries within the last 14 days score higher
• Communication direction: Outbound connections from internal hosts score higher than blocked inbound attempts
• Host criticality: A domain controller or database server communicating with a flagged IP scores far higher than a developer test machine
• Protocol significance: Connections over unusual high ports or to known C2 ports score higher than HTTP traffic to the same IP

Hits that score above a defined threshold go to immediate triage. Lower-scoring hits queue for periodic review. This prevents analysts from drowning in low-confidence signals while ensuring high-confidence indicators get rapid attention.

Handling Blocklist Evasion Techniques

Sophisticated threat actors anticipate blocklist use and design their infrastructure to evade it. Awareness of these techniques makes your hunting more effective.

Fast Flux and Infrastructure Rotation

Malware operators frequently rotate C2 IP addresses on short cycles, sometimes daily or even hourly. By the time an IP makes it into a widely distributed blocklist, the attacker has already moved on. Your hunting must account for this by also tracking domain-level indicators, not just IP-level ones. A domain that rotates through ten IPs will only be blocklisted at the IP level intermittently, but the domain itself may be flagged in DNS-based threat feeds.

Shared Infrastructure Abuse

Cloud and hosting providers have become preferred attacker infrastructure because their IP ranges are broadly trusted. An attacker spinning up a malicious workload on AWS, Azure, or Google Cloud gets an IP that many blocklists do not flag by default because legitimate traffic also originates from those ranges. The GlassWorm malware that recently returned via 73 compromised OpenVSX extensions demonstrates how attackers embed in trusted ecosystems specifically to avoid blocklist-based detection. Hunt for anomalous behavioral patterns from cloud provider IP ranges, not just blocklist matches.

Residential Proxy Networks

Residential proxy networks allow attackers to route malicious traffic through legitimate residential IP addresses. These IPs rarely appear on traditional blocklists because the underlying homeowner is not malicious. Detection requires behavioral analysis: unusual request patterns, geographic impossibilities, and session characteristics that do not match expected residential user behavior.

Operationalizing Blocklist Intelligence in Real Time

For SOC teams managing active environments, real-time blocklist enrichment in your log pipeline enables faster detection. Here is a practical implementation approach:

1. Ingest blocklist feeds into your TIP or SIEM lookup tables on a defined refresh cycle, typically every 4 to 6 hours for active threat feeds. Store the feed source, entry date, category, and confidence level alongside each IP entry.
2. Configure your SIEM to tag network logs with blocklist status at search time rather than ingestion time. This allows retroactive detection when new IPs are added to feeds.
3. Build detection rules that fire specifically on outbound connections from internal hosts to blocklisted IPs, separated by category. A rule for C2-associated IPs should have a higher severity than one for spam-source IPs.
4. Create a daily hunting query that runs against the previous 24 hours of logs and returns all blocklist hits sorted by composite score. Review this as a standing hunting task, not an exception workflow.
5. Maintain a local blocklist of IPs you have personally observed in your environment that have not yet made it into public feeds. Share these with your threat intelligence community and upstream to feeds where possible.

When Blocklist Intelligence Becomes Deceptive

A critical operational caution: the threat landscape includes deliberate manipulation of blocklist-adjacent data. The recent warning about data breach alerts being used as traps is directly relevant here. Attackers aware of your security tooling can craft scenarios designed to cause you to blocklist legitimate infrastructure, creating denial-of-service conditions against your own operations, or to flood your alerting pipeline with noise that buries a real intrusion.

Validate blocklist hits against multiple independent sources before taking high-impact defensive actions. A single feed flagging an IP that turns out to be critical business infrastructure can cause significant operational disruption. Cross-reference, check recency, and confirm context before executing blocks on high-impact systems or IP ranges.

The emergence of autonomous offensive AI systems targeting cloud infrastructure also means that blocklist-evading attack behavior will become more sophisticated and adaptive. Threat hunting workflows built entirely around static blocklist matching will struggle to keep pace. Treat blocklist data as one layer in a multi-signal hunting methodology, not as a standalone detection mechanism.

Sharing What You Find

Threat hunting with blocklists generates intelligence that has value beyond your organization. When you identify a C2 IP, a malware distribution server, or a scanning host that does not appear in public feeds, submit it. AbuseIPDB accepts community reports. ISACs in your sector have sharing mechanisms. Commercial TIP vendors accept customer submissions that improve feed quality for everyone.

The ecosystem of blocklist intelligence improves in direct proportion to how many defenders contribute to it. A threat hunting team that only consumes feeds without contributing back is extracting value from a shared resource without sustaining it.

Putting It Together

IP blocklists are among the most accessible and high-signal threat intelligence sources available to defenders. Their value multiplies when you shift from using them purely as enforcement mechanisms to treating every match as a hunting lead worth pursuing. The organizations that catch intrusions early are the ones that see a blocklist hit and ask what else that IP is connected to, which internal hosts reached out to it, and how long that communication has been happening. That investigative posture, combined with structured enrichment, confident prioritization, and active contribution back to the intelligence community, is what separates reactive blocking from genuine threat hunting.