Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Microsoft Azure Monitor Alerts Abused for Callback Phishing Attacks

Published on: March 20, 2026

Share:
Microsoft Azure Monitor Alerts Abused for Callback Phishing Attacks

Overview:

A new phishing campaign has been identified where attackers are misusing Microsoft Azure Monitor to send fake security and billing alert emails.

These emails appear to come from legitimate Microsoft systems (such as azure-noreply@microsoft.com) and warn users about unauthorized charges or suspicious account activity. The emails then ask users to call a phone number to resolve the issue.

Since these emails are sent through Microsoft’s real infrastructure, they pass email security checks like SPF, DKIM, and DMARC, making them look trustworthy and harder to detect.

This type of attack is known as callback phishing, where victims are tricked into calling attackers instead of clicking links.

Who It Impacts:

  • Organizations using Microsoft Azure services
  • Corporate users who receive automated cloud alerts
  • Finance, billing, and IT teams handling invoices or payments
  • General users who trust emails from Microsoft domains

How It Impacts:

The attack works in the following way:

  • Attackers create fake alert rules in Azure Monitor
  • They insert phishing messages in the alert description
  • Microsoft sends the alert email from a legitimate email address
  • The email warns about fake charges (e.g., $389 for Windows Defender)
  • The user is asked to call a phone number urgently

If the user calls the number:

  • Attackers may steal credentials (usernames/passwords)
  • They may convince users to install remote access tools
  • Financial fraud or unauthorized transactions may occur
  • Attackers may gain access to corporate systems

Because the email is legitimate in appearance, users are more likely to trust and act on it.

Recommendations:

User Awareness:

  • Do not trust emails just because they come from Microsoft
  • Never call phone numbers mentioned in emails
  • Always verify billing alerts through official Microsoft portals

Email Security:

  • Monitor emails from Microsoft domains containing phone numbers
  • Urgent language (e.g., “immediate action required”)
  • Flag or quarantine suspicious alert emails

Azure Security:

  • Restrict who can create or modify Azure Monitor alert rules
  • Regularly review alert configurations and descriptions
  • Monitor for unusual or newly created alert rules

Access Control:

  • Enable Multi-Factor Authentication (MFA) for Azure accounts
  • Apply least privilege access to Azure resources

Reference Link:

← Back to all bulletins