Microsoft Azure Monitor alerts abused for callback phishing attacks

bleepingcomputer.com · 01-_- · 21 days ago · view on HN · news
quality 7/10 · good
0 net
Tags
account-takeover malware microsoft oauth phishing
Microsoft Azure Monitor alerts abused for callback phishing attacks Home News Security Microsoft Azure Monitor alerts abused for callback phishing attacks Microsoft Azure Monitor alerts abused for callback phishing attacks By Lawrence Abrams March 21, 2026 10:09 AM 0 Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on your account. Azure Monitor is Microsoft's cloud-based monitoring service that collects and analyzes data from Azure resources, applications, and infrastructure. It enables users to track performance, notify about billing changes, detect issues, and trigger alerts based on various conditions. Over the past month, numerous people have reported receiving Azure Monitor alerts warning of suspicious charges or invoice activity on their accounts, urging them to call an enclosed phone number. "Alert rule description MICROSOFT CORPORATION BILLING AND ACCOUNT SECURITY NOTICE (REF: MS-FRA-6673829-KP). Our system has detected a potentially unauthorized charge on your account. Transaction Details: Merchant: Windows Defender. Transaction ID: PP456-887A-22B. Amount: 389.90 USD. Date: 03/05/2026l," reads the fake billing alert. "For your protection, this transaction has been temporarily placed on hold by our Fraud Detection Team. To prevent possible account suspension or additional fees, please verify this transaction immediately. If you did NOT authorize this payment, contact our 24/7 Microsoft Account Security Support at +1 (864) 347-2494 or +1 (864) 347-4846." "We apologize for any inconvenience and appreciate your prompt response. Microsoft Account Security Team." Microsoft Azure Monitor alert used in a callback phishing scam Source: BleepingComputer Unlike other phishing campaigns, these messages are not spoofed, but are sent directly by the Microsoft Azure Monitor platform using the legitimate [email protected] email address. As the emails are sent through Microsoft's legitimate email platforms, they pass SPF, DKIM, and DMARC email security checks, making them appear more trustworthy. Authentication-Results: relay.mimecast.com; dkim=pass header.d=microsoft.com header.s=s1024-meo header.b=CKfQ8iOB; arc=pass ("microsoft.com:s=arcselector10001:i=1"); dmarc=pass (policy=reject) header.from=microsoft.com; spf=pass (relay.mimecast.com: domain of [email protected] designates 40.107.200.103 as permitted sender) [email protected] The threat actors are conducting this campaign by creating alerts in Azure Monitor for easily triggered conditions, such as new orders, payments, generated invoices, and other billing events. When creating alerts, you can enter any message you want in the description field, which the attackers use to put their callback phishing message. Description field when creating an Azure Monitor alert Source: Microsoft These alerts are then configured to send emails to what is believed to be a mailing list under the attacker's control, which forwards the email to all the targeted people in the attack. This also preserves the original Microsoft headers and authentication results, helping the emails bypass spam filters and user suspicion. BleepingComputer has seen multiple alert categories used in this campaign, mostly using invoice and payment-themed rules designed to resemble automated billing notifications: Azure monitor alert rule order-22455340 was resolved for invoice22455340 Azure monitor alert rule Invoice Paid INV-d39f76ef94 was resolved for invd39f76ef94 Azure monitor alert rule Payment Reference INV-22073494 was resolved for purchase22073494 Azure monitor alert rule Funds Successfully Received-ec5c7acb41 was triggered for subec5c7acb41 Azure monitor alert rule MemorySpike-9242403-A4 was triggered Azure monitor alert rule DiskFull-3426456-A6 was triggered for locker3426456 The campaign relies on creating a sense of urgency, which in this case is the unusual $389 Windows Defender charge, to trick the users into calling the listed phone number. While BleepingComputer did not call the number in this scam, previous callback phishing campaigns led to credential theft, payment fraud, or the installation of remote access software. As these emails use a more enterprise or corporate theme, they may be intended to gain initial access to corporate networks for follow-on attacks. Users should treat any Azure or Microsoft alert that includes a phone number or urgent request to resolve billing issues with suspicion. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: Microsoft: Hackers abusing AI at every stage of cyberattacks Microsoft: Hackers abuse OAuth error flows to spread malware Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts Microsoft shares fix for Windows C: drive access issues on Samsung PCs FBI links Signal phishing attacks to Russian intelligence services Alert Azure Monitor CallBack Microsoft Phishing Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. Previous Article Next Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories CISA urges US orgs to secure Microsoft Intune systems after Stryker breach Max severity Ubiquiti UniFi flaw may allow account takeover Microsoft: March Windows updates break Teams, OneDrive sign-ins Sponsor Posts Overdue a password health-check? Audit your Active Directory for free Secure your AI agents without sacrificing speed. Are refund fraud methods targeting your brand? You can monitor the underground for these threats. Uncover shadow AI apps, users, and risky data sharing. Get started in 5 min. Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast. Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT
← Back to stories