March 21, 2026

Microsoft Azure Monitor Alert Abuse in Phishing Callback Campaigns

Vaibhav March 21, 2026
Microsoft Azure Monitor Alert Abuse in Phishing Callback Campaigns
Post Views: 1
Cybercriminals are exploiting Microsoft Azure Monitor alerts to conduct callback phishing campaigns, targeting users with fake warnings about suspicious charges on their accounts.

Azure Monitor Abuse

Azure Monitor, a cloud-based monitoring service, allows users to track performance, detect issues, and trigger alerts based on various conditions. However, attackers have found a way to abuse this feature to send legitimate-looking emails that appear to come from the Microsoft Security Team.

Phishing Email Tactics

The phishing emails claim that a potentially unauthorized charge has been detected on the user’s account, with details such as the merchant, transaction ID, amount, and date. The message urges the user to call a provided phone number to resolve the issue. These emails are not spoofed but are sent directly through the Microsoft Azure Monitor platform, using the legitimate azure-noreply@microsoft.com address.

As a result, they pass security checks such as SPF, DKIM, and DMARC, making them appear more trustworthy.

Attack Method

The attackers create alerts in Azure Monitor for easily triggered conditions, such as new orders or payments, and enter a malicious message in the description field. These alerts are then configured to send emails to a mailing list under the attacker’s control, which forwards the messages to targeted individuals.

This approach preserves the original Microsoft headers and authentication results, helping the emails bypass spam filters and user suspicion.

Campaign Tactics

Multiple alert categories have been used in this campaign, mostly with invoice and payment-themed rules designed to resemble automated billing notifications. The campaign relies on creating a sense of urgency to trick users into calling the listed phone number, which could lead to credential theft, payment fraud, or the installation of remote access software.

Precautions

Users should be cautious when receiving Azure or Microsoft alerts that include a phone number or urgent request to resolve billing issues. It is essential to verify the authenticity of such messages before taking any action. As these emails use a more enterprise or corporate theme, they may be intended to gain initial access to corporate networks for follow-on attacks.



About Author

Vaibhav

See author's posts

More Stories

Google Introduces Advanced Flow for Secure Android APK Sideloading

Google Introduces Advanced Flow for Secure Android APK Sideloading

Vaibhav March 21, 2026
Microsoft Intune Security Hardening Mandated by US Government After Stryker Ransomware Attack

Microsoft Intune Security Hardening Mandated by US Government After Stryker Ransomware Attack

Vaibhav March 21, 2026
KACE Systems Management Vulnerability Exploited in Critical Quest Attacks

KACE Systems Management Vulnerability Exploited in Critical Quest Attacks

Vaibhav March 21, 2026

Latest Cyber Security News

Microsoft Azure Monitor Alert Abuse in Phishing Callback Campaigns

Microsoft Azure Monitor Alert Abuse in Phishing Callback Campaigns

Vaibhav March 21, 2026
Google Introduces Advanced Flow for Secure Android APK Sideloading

Google Introduces Advanced Flow for Secure Android APK Sideloading

Vaibhav March 21, 2026
Microsoft Intune Security Hardening Mandated by US Government After Stryker Ransomware Attack

Microsoft Intune Security Hardening Mandated by US Government After Stryker Ransomware Attack

Vaibhav March 21, 2026
KACE Systems Management Vulnerability Exploited in Critical Quest Attacks

KACE Systems Management Vulnerability Exploited in Critical Quest Attacks

Vaibhav March 21, 2026
KACE Critical Vulnerability Exploited in Cyber Attacks: What You Need to Know

KACE Critical Vulnerability Exploited in Cyber Attacks: What You Need to Know

Vaibhav March 21, 2026
en_USEnglish
en_USEnglish