Microsoft Azure Monitor alerts are being abused to ship callback phishing emails that impersonate warnings from the Microsoft Safety Group about unauthorized prices in your account.
Azure Monitor is Microsoft’s cloud-based monitoring service that collects and analyzes knowledge from Azure sources, functions, and infrastructure. It allows customers to trace efficiency, notify about billing adjustments, detect points, and set off alerts primarily based on varied situations.
Over the previous month, quite a few folks have reported receiving Azure Monitor alerts warning of suspicious prices or bill exercise on their accounts, urging them to name an enclosed cellphone quantity.
“Alert rule description MICROSOFT CORPORATION BILLING AND ACCOUNT SECURITY NOTICE (REF: MS-FRA-6673829-KP). Our system has detected a probably unauthorized cost in your account. Transaction Particulars: Service provider: Home windows Defender. Transaction ID: PP456-887A-22B. Quantity: 389.90 USD. Date: 03/05/2026l,” reads the pretend billing alert.
“To your safety, this transaction has been quickly positioned on maintain by our Fraud Detection Group. To forestall potential account suspension or extra charges, please confirm this transaction instantly. In the event you did NOT authorize this fee, contact our 24/7 Microsoft Account Safety Help at +1 (864) 347-2494 or +1 (864) 347-4846.”
“We apologize for any inconvenience and admire your immediate response. Microsoft Account Safety Group.”
Supply: BleepingComputer
Not like different phishing campaigns, these messages should not spoofed, however are despatched straight by the Microsoft Azure Monitor platform utilizing the reputable azure-noreply@microsoft.com e-mail handle.
Because the emails are despatched by way of Microsoft’s reputable e-mail platforms, they move SPF, DKIM, and DMARC e-mail safety checks, making them seem extra reliable.
Authentication-Outcomes: relay.mimecast.com;
dkim=move header.d=microsoft.com header.s=s1024-meo header.b=CKfQ8iOB;
arc=move ("microsoft.com:s=arcselector10001:i=1");
dmarc=move (coverage=reject) header.from=microsoft.com;
spf=move (relay.mimecast.com: area of azure-noreply@microsoft.com designates 40.107.200.103 as permitted sender) smtp.mailfrom=azure-noreply@microsoft.com
The risk actors are conducting this marketing campaign by creating alerts in Azure Monitor for simply triggered situations, resembling new orders, funds, generated invoices, and different billing occasions.
When creating alerts, you may enter any message you need within the description discipline, which the attackers use to place their callback phishing message.
Supply: Microsoft
These alerts are then configured to ship emails to what’s believed to be a mailing record underneath the attacker’s management, which forwards the e-mail to all of the focused folks within the assault.
This additionally preserves the unique Microsoft headers and authentication outcomes, serving to the emails bypass spam filters and consumer suspicion.
BleepingComputer has seen a number of alert classes used on this marketing campaign, principally utilizing bill and payment-themed guidelines designed to resemble automated billing notifications:
- Azure monitor alert rule order-22455340 was resolved for invoice22455340
- Azure monitor alert rule Bill Paid INV-d39f76ef94 was resolved for invd39f76ef94
- Azure monitor alert rule Fee Reference INV-22073494 was resolved for purchase22073494
- Azure monitor alert rule Funds Efficiently Acquired-ec5c7acb41 was triggered for subec5c7acb41
- Azure monitor alert rule MemorySpike-9242403-A4 was triggered
- Azure monitor alert rule DiskFull-3426456-A6 was triggered for locker3426456
The marketing campaign depends on creating a way of urgency, which on this case is the bizarre $389 Home windows Defender cost, to trick the customers into calling the listed cellphone quantity.
Whereas BleepingComputer didn’t name the quantity on this rip-off, earlier callback phishing campaigns led to credential theft, fee fraud, or the set up of distant entry software program.
As these emails use a extra enterprise or company theme, they might be meant to realize preliminary entry to company networks for follow-on assaults.
Customers ought to deal with any Azure or Microsoft alert that features a cellphone quantity or pressing request to resolve billing points with suspicion.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
