Microsoft Azure Monitor alerts abused for callback phishing attacks

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

Varonis Atlas: Securing AI and the Data That Powers It

Microsoft Exchange Online service change causes email access issues

Block ads and trackers on 9 devices for only $16 in this deal

FBI warns of Handala hackers using Telegram in malware attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityMicrosoft Azure Monitor alerts abused for callback phishing attacks

Microsoft Azure Monitor alerts abused for callback phishing attacks

By Lawrence Abrams

March 21, 2026
10:09 AM
0

Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on your account.
Azure Monitor is Microsoft's cloud-based monitoring service that collects and analyzes data from Azure resources, applications, and infrastructure. It enables users to track performance, notify about billing changes, detect issues, and trigger alerts based on various conditions.
Over the past month, numerous people have reported receiving Azure Monitor alerts warning of suspicious charges or invoice activity on their accounts, urging them to call an enclosed phone number.
"Alert rule description MICROSOFT CORPORATION BILLING AND ACCOUNT SECURITY NOTICE (REF: MS-FRA-6673829-KP). Our system has detected a potentially unauthorized charge on your account. Transaction Details: Merchant: Windows Defender. Transaction ID: PP456-887A-22B. Amount: 389.90 USD. Date: 03/05/2026l," reads the fake billing alert.
"For your protection, this transaction has been temporarily placed on hold by our Fraud Detection Team. To prevent possible account suspension or additional fees, please verify this transaction immediately. If you did NOT authorize this payment, contact our 24/7 Microsoft Account Security Support at +1 (864) 347-2494 or +1 (864) 347-4846."
"We apologize for any inconvenience and appreciate your prompt response. Microsoft Account Security Team."

Microsoft Azure Monitor alert used in a callback phishing scamSource: BleepingComputer
Unlike other phishing campaigns, these messages are not spoofed, but are sent directly by the Microsoft Azure Monitor platform using the legitimate azure-noreply@microsoft.com email address.
As the emails are sent through Microsoft's legitimate email platforms, they pass SPF, DKIM, and DMARC email security checks, making them appear more trustworthy.

Authentication-Results: relay.mimecast.com;
dkim=pass header.d=microsoft.com header.s=s1024-meo header.b=CKfQ8iOB;
arc=pass ("microsoft.com:s=arcselector10001:i=1");
dmarc=pass (policy=reject) header.from=microsoft.com;
spf=pass (relay.mimecast.com: domain of azure-noreply@microsoft.com designates 40.107.200.103 as permitted sender) smtp.mailfrom=azure-noreply@microsoft.com

The threat actors are conducting this campaign by creating alerts in Azure Monitor for easily triggered conditions, such as new orders, payments, generated invoices, and other billing events. 
When creating alerts, you can enter any message you want in the description field, which the attackers use to put their callback phishing message.

Description field when creating an Azure Monitor alertSource: Microsoft
These alerts are then configured to send emails to what is believed to be a mailing list under the attacker's control, which forwards the email to all the targeted people in the attack.
This also preserves the original Microsoft headers and authentication results, helping the emails bypass spam filters and user suspicion.
BleepingComputer has seen multiple alert categories used in this campaign, mostly using invoice and payment-themed rules designed to resemble automated billing notifications:
Azure monitor alert rule order-22455340 was resolved for invoice22455340
Azure monitor alert rule Invoice Paid INV-d39f76ef94 was resolved for invd39f76ef94
Azure monitor alert rule Payment Reference INV-22073494 was resolved for purchase22073494
Azure monitor alert rule Funds Successfully Received-ec5c7acb41 was triggered for subec5c7acb41
Azure monitor alert rule MemorySpike-9242403-A4 was triggered
Azure monitor alert rule DiskFull-3426456-A6 was triggered for locker3426456
The campaign relies on creating a sense of urgency, which in this case is the unusual $389 Windows Defender charge, to trick the users into calling the listed phone number.
While BleepingComputer did not call the number in this scam, previous callback phishing campaigns led to credential theft, payment fraud, or the installation of remote access software.
As these emails use a more enterprise or corporate theme, they may be intended to gain initial access to corporate networks for follow-on attacks.
Users should treat any Azure or Microsoft alert that includes a phone number or urgent request to resolve billing issues with suspicion.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
Microsoft: Hackers abusing AI at every stage of cyberattacksMicrosoft: Hackers abuse OAuth error flows to spread malwareMicrosoft Store Outlook add-in hijacked to steal 4,000 Microsoft accountsMicrosoft Exchange Online service change causes email access issuesNew KB5085516 emergency update fixes Microsoft account sign-in

Alert
Azure Monitor
CallBack
Microsoft
Phishing

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

CISA orders feds to patch max-severity Cisco flaw by Sunday

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Sponsor Posts

Secure your AI agents without sacrificing speed.

AI is a data-breach time bomb: Read the new report

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Overdue a password health-check? Audit your Active Directory for free

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Microsoft Azure Monitor alerts are being exploited in a sophisticated callback phishing campaign. According to a report by Lawrence Abrams for BleepingComputer, adversaries are abusing the legitimate Azure Monitor platform to send fraudulent alerts resembling Microsoft Security Team notifications regarding unauthorized charges on user accounts. This tactic leverages the trust associated with Microsoft’s services to bypass user caution. The core of the attack involves creating custom alerts within Azure Monitor that trigger based on common billing events, such as new orders or invoice activity. These alerts then generate emails, mimicking legitimate Microsoft communications, that instruct recipients to contact a provided phone number to resolve the issue. These emails utilize the azure-noreply@microsoft.com email address, passing SPF, DKIM, and DMARC authentication checks, thereby enhancing their credibility and facilitating their passage through standard spam filters.

The attackers are specifically targeting alert rules related to invoices and payments, crafting messages that create a sense of urgency – in this instance, a fabricated $389 charge from Windows Defender – to pressure victims into immediately contacting the scammer’s phone numbers. The campaign employs multiple alert categories to maximize its effectiveness and evade detection. The utilized alert rules include those related to order payments and invoice processing events. The emails are designed to appear authentic, preserving the original Microsoft header information and authentication results, to amplify the deception. This intricate approach demonstrates a strategic understanding of Microsoft’s monitoring infrastructure and security protocols. The potential outcome of such interactions is often the compromise of user credentials, leading to financial fraud, or the installation of malware via remote access tools. Given the enterprise-oriented nature of these emails, it is hypothesized that the ultimate goal of the attack is to gain initial access to corporate networks for subsequent, more targeted attacks. Users are strongly advised to exercise extreme caution when receiving any Azure or Microsoft alerts that include a phone number or request immediate action concerning billing issues, treating them with heightened suspicion.