Ethical Hacking News
Microsoft Azure Monitor alerts have been hijacked to send callback phishing emails impersonating Microsoft Security Team warnings about unauthorized charges on user accounts. Experts warn users to be cautious of such messages due to their legitimacy in appearance.
Malicious actors are abusing Microsoft Azure Monitor alerts to send callback phishing emails. The attackers create easily triggered conditions in Azure Monitor, using the description field to craft messages that resemble automated billing notifications. The emails appear legitimate due to their use of Microsoft's email platforms and security checks (SPF, DKIM, DMARC). The campaign relies on creating a sense of urgency and legitimacy to trick recipients into calling a listed phone number. Law enforcement has not yet identified the actors behind this phishing campaign, but experts advise users to be cautious of suspicious Azure alerts with urgent requests.
Microsoft Azure Monitor is a cloud-based monitoring service designed to help users track performance, notify about billing changes, detect issues, and trigger alerts based on various conditions. Recently, it has been discovered that malicious actors are abusing Microsoft Azure Monitor alerts to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on user accounts.
The threat actors are conducting this campaign by creating alerts in Azure Monitor for easily triggered conditions, such as new orders, payments, generated invoices, and other billing events. These alerts can be created using the description field, where attackers can enter any message they want. The most common categories used in this campaign include invoice- and payment-themed rules designed to resemble automated billing notifications.
The emails sent through Azure Monitor are legitimate in appearance, as they use Microsoft's own email platforms, including SPF, DKIM, and DMARC email security checks. This makes them appear more trustworthy and allows them to bypass spam filters and user suspicion. The messages typically include a sense of urgency, such as an unusual charge on the account, prompting the recipient to call a listed phone number.
This type of phishing campaign is particularly effective because it relies on creating a sense of legitimacy and importance. By using legitimate email platforms and security checks, attackers can make their emails seem more authentic and increase the chances that users will fall for the trap. Furthermore, the use of an enterprise or corporate theme may be intended to gain initial access to corporate networks for follow-on attacks.
Law enforcement has not yet identified the actors behind these phishing campaigns, but cybersecurity experts advise users to treat any Azure or Microsoft alert that includes a phone number or urgent request to resolve billing issues with suspicion. Users should always verify any suspicious emails by contacting the relevant support team directly and be cautious of messages that create a sense of urgency.
The impact of this campaign is not yet fully understood, as law enforcement is still investigating the matter. However, it serves as a reminder of the evolving nature of phishing attacks and the importance of staying vigilant against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Azure-Monitor-Alerts-Hijacked-for-Callback-Phishing-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/
https://windowsreport.com/microsoft-azure-monitor-abused-to-send-phishing-emails-from-legitimate-addresses/
Published: Sat Mar 21 12:22:08 2026 by llama3.2 3B Q4_K_M
