Threat actors are exploiting Microsoft Azure Monitor alerts to send fraudulent callback phishing emails impersonating the Microsoft Security Team. The legitimate emails originate fromĀ azure-noreply@microsoft.comĀ and pass all standard email authentication checks, making them appear highly trustworthy. Attackers create billing-related alert rules within Azure Monitor and populate the description fields with phishing messages instructing recipients to call specific phone numbers.
The campaign typically warns of unauthorized charges, such as a $389 Windows Defender transaction, creating urgency to prompt victims into calling the provided numbers. These alerts are configured to email a mailing list under the attacker's control, which then forwards them to targeted recipients while preserving legitimate Microsoft headers. Previous callback phishing operations of this nature have led to credential theft, payment fraud, or installation of remote access software.
The emails use various alert categories including invoice and payment themes, often referencing fabricated transaction IDs and amounts. Unlike traditional phishing that relies on spoofed domains, these messages leverage Microsoft's own infrastructure to bypass spam filters. Users receiving Azure Monitor alerts containing phone numbers or urgent billing requests are advised to treat them with extreme suspicion and verify through official channels rather than calling the provided numbers.
Read more...