Microsoft Azure Monitor alerts are being abused to ship callback phishing emails that impersonate warnings from the Microsoft Safety Staff about unauthorized fees in your account.
Azure Monitor is Microsoft’s cloud-based monitoring service that collects and analyzes information from Azure assets, purposes, and infrastructure. It permits customers to trace efficiency, notify about billing modifications, detect points, and set off alerts primarily based on varied situations.
Over the previous month, quite a few individuals have reported receiving Azure Monitor alerts warning of suspicious fees or bill exercise on their accounts, urging them to name an enclosed cellphone quantity.
“Alert rule description MICROSOFT CORPORATION BILLING AND ACCOUNT SECURITY NOTICE (REF: MS-FRA-6673829-KP). Our system has detected a potentially unauthorized charge on your account. Transaction Details: Merchant: Windows Defender. Transaction ID: PP456-887A-22B. Amount: 389.90 USD. Date: 03/05/2026l,” reads the faux billing alert.
“For your protection, this transaction has been temporarily placed on hold by our Fraud Detection Team. To prevent possible account suspension or additional fees, please verify this transaction immediately. If you did NOT authorize this payment, contact our 24/7 Microsoft Account Security Support at +1 (864) 347-2494 or +1 (864) 347-4846.”
“We apologize for any inconvenience and appreciate your prompt response. Microsoft Account Security Team.”
Supply: BleepingComputer
In contrast to different phishing campaigns, these messages will not be spoofed, however are despatched instantly by the Microsoft Azure Monitor platform utilizing the official azure-noreply@microsoft.com electronic mail deal with.
Because the emails are despatched by Microsoft’s official electronic mail platforms, they go SPF, DKIM, and DMARC electronic mail safety checks, making them seem extra reliable.
Authentication-Outcomes: relay.mimecast.com;
dkim=go header.d=microsoft.com header.s=s1024-meo header.b=CKfQ8iOB;
arc=go ("microsoft.com:s=arcselector10001:i=1");
dmarc=go (coverage=reject) header.from=microsoft.com;
spf=go (relay.mimecast.com: area of azure-noreply@microsoft.com designates 40.107.200.103 as permitted sender) smtp.mailfrom=azure-noreply@microsoft.com
The menace actors are conducting this marketing campaign by creating alerts in Azure Monitor for simply triggered situations, comparable to new orders, funds, generated invoices, and different billing occasions.
When creating alerts, you’ll be able to enter any message you need within the description subject, which the attackers use to place their callback phishing message.
Supply: Microsoft
These alerts are then configured to ship emails to what’s believed to be a mailing record beneath the attacker’s management, which forwards the e-mail to all of the focused individuals within the assault.
This additionally preserves the unique Microsoft headers and authentication outcomes, serving to the emails bypass spam filters and consumer suspicion.
BleepingComputer has seen a number of alert classes used on this marketing campaign, largely utilizing bill and payment-themed guidelines designed to resemble automated billing notifications:
- Azure monitor alert rule order-22455340 was resolved for invoice22455340
- Azure monitor alert rule Bill Paid INV-d39f76ef94 was resolved for invd39f76ef94
- Azure monitor alert rule Cost Reference INV-22073494 was resolved for purchase22073494
- Azure monitor alert rule Funds Efficiently Acquired-ec5c7acb41 was triggered for subec5c7acb41
- Azure monitor alert rule MemorySpike-9242403-A4 was triggered
- Azure monitor alert rule DiskFull-3426456-A6 was triggered for locker3426456
The marketing campaign depends on creating a way of urgency, which on this case is the weird $389 Home windows Defender cost, to trick the customers into calling the listed cellphone quantity.
Whereas BleepingComputer didn’t name the quantity on this rip-off, earlier callback phishing campaigns led to credential theft, cost fraud, or the set up of distant entry software program.
As these emails use a extra enterprise or company theme, they might be meant to achieve preliminary entry to company networks for follow-on assaults.
Customers ought to deal with any Azure or Microsoft alert that features a cellphone quantity or pressing request to resolve billing points with suspicion.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
