diff --git a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml
index f2c7ee0cc..9a0859fd9 100644
--- a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml
+++ b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2026/02/02"
 
 [rule]
 author = ["Elastic"]
@@ -50,6 +50,9 @@ In macOS environments, network connections to web services are routine for data
 - Monitor the network for any further attempts to connect to the flagged domains and ensure that alerts are configured to notify security teams of any recurrence.
 - Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if the threat is part of a larger attack campaign.
 """
+references = [
+"https://specterops.io/blog/2026/01/30/weaponizing-whitelists-an-azure-blob-storage-mythic-c2-profile/"
+]
 risk_score = 47
 rule_id = "b07f0fba-0a78-11f0-8311-b66272739ecb"
 severity = "medium"
@@ -163,9 +166,11 @@ destination.domain : (
     pastecode.dev or
     i.imgur.com or
     the.earth.li or
-    *.trycloudflare.com
+    *.trycloudflare.com or
+    *.blob.core.windows.net or
+    *.blob.storage.azure.net
 ) and 
-not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and 
+not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com or *.blob.core.windows.net or *.blob.storage.azure.net) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and 
 not (process.code_signature.subject_name:(*Mozilla* or *Google* or *Brave* or *Opera* or "Software Signing" or *Zscaler* or *Browser*) and process.code_signature.trusted:true)  and 
 not (destination.domain :("discord.com" or cdn.discordapp.com or "content.dropboxapi.com" or "dl.dropboxusercontent.com") and process.code_signature.subject_name :(*Discord* or *Dropbox*) and process.code_signature.trusted:true)
 '''
diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
index f3d0ab94a..30c7f2913 100644
--- a/rules/windows/command_and_control_common_webservices.toml
+++ b/rules/windows/command_and_control_common_webservices.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/17"
+updated_date = "2026/02/02"
 
 [transform]
 [[transform.investigate]]
@@ -128,8 +128,9 @@ This rule looks for processes outside known legitimate program locations communi
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = [
-"https://www.elastic.co/security-labs/operation-bleeding-bear", 
-"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"
+"https://www.elastic.co/security-labs/operation-bleeding-bear",
+"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry",
+"https://specterops.io/blog/2026/01/30/weaponizing-whitelists-an-azure-blob-storage-mythic-c2-profile/"
 ]
 risk_score = 21
 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32"
@@ -233,8 +234,10 @@ network where host.os.type == "windows" and
         "www.googleapis.com", 
         "googleapis.com",
         "global.rel.tunnels.api.visualstudio.com",
-        "*.devtunnels.ms", 
-        "api.github.com") and
+        "*.devtunnels.ms",
+        "api.github.com",
+        "*.blob.core.windows.net",
+        "*.blob.storage.azure.net") and
         
     /* Insert noisy false positives here */
     not (
@@ -288,7 +291,8 @@ network where host.os.type == "windows" and
       ) or 
 
       (process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and
-       dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com")
+       dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com",
+                            "*.blob.core.windows.net", "*.blob.storage.azure.net")
       ) or
 
       (process.code_signature.subject_name : ("Python Software Foundation", "Anaconda, Inc.") and