Full Report
Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on your account. [...]
Analysis Summary
# Incident Report: Abuse of Microsoft Azure Monitor Alerts for Callback Phishing
## Executive Summary
Threat actors are leveraging legitimate Microsoft Azure Monitor alert infrastructure to send callback phishing emails that bypass traditional email security filters. By embedding fraudulent billing messages and premium-rate/scam phone numbers into alert descriptions, attackers impersonate Microsoft Security Team warnings regarding unauthorized charges. The campaign aims to induce urgency in victims, leading to credential theft, financial fraud, or remote access software installation.
## Incident Details
- **Discovery Date:** March 2026 (Reports increasing over the preceding month)
- **Incident Date:** Ongoing (Active since February/March 2026)
- **Affected Organization:** Multiple (Distributed targeting)
- **Sector:** Cross-sector (General consumers and corporate entities)
- **Geography:** Global (Primarily English-speaking targets)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa February 2026.
- **Vector:** Official Microsoft Azure Monitor notification system.
- **Details:** Attackers create malicious Azure Monitor alerts with custom descriptions containing phishing lures (e.g., "unauthorized charge on your account").
### Lateral Movement
- **Movement:** In these callback scenarios, lateral movement typically occurs *after* a victim calls the number and is convinced to install Remote Monitoring and Management (RMM) tools or provide corporate credentials.
### Data Exfiltration/Impact
- **Impact:** Potential for credential harvesting, financial loss via fraudulent payments, or full workstation compromise leading to ransomware.
### Detection & Response
- **Discovery:** Reported by users on community forums (Reddit) and Microsoft Q&A.
- **Response Actions:** Public disclosure by security researchers (BleepingComputer) to warn users of the legitimate sender address `azure-noreply@microsoft[.]com` being used for fraud.
## Attack Methodology
- **Initial Access:** Abuse of legitimate cloud services (Living-off-the-Cloud).
- **Persistence:** Not applicable for the email phase; achieved via RMM tools if the callback is successful.
- **Privilege Escalation:** Not applicable at the email phase.
- **Defense Evasion:** Emails pass SPF, DKIM, and DMARC because they originate from Microsoft's authoritative IP ranges (e.g., `40.107.200[.]103`).
- **Credential Access:** Solicited via social engineering over the phone.
- **Discovery:** Use of attacker-controlled mailing lists to distribute alerts to broad target sets.
- **Lateral Movement:** Execution of remote desktop software by the victim under guidance from the "agent."
- **Collection:** Social engineering of PII and banking details.
- **Exfiltration:** Standard outbound traffic via RMM or manual theft.
- **Impact:** Financial fraud (fraudulent charges for "Windows Defender") and potential network breach.
## Impact Assessment
- **Financial:** High potential—scams cite charges of ~$389.90 USD; potential for larger corporate losses.
- **Data Breach:** High risk—credential harvesting during the "verification" phone call.
- **Operational:** Low—does not affect the core Azure service, only exploits its notification feature.
- **Reputational:** Moderate—impacts trust in legitimate Microsoft notification channels.
## Indicators of Compromise
- **Sender Address:** `azure-noreply@microsoft[.]com` (Note: This is a legitimate service used for malicious content).
- **Phone Numbers:**
- `+1 (864) 347-2494`
- `+1 (864) 347-4846`
- **Email Subject Patterns:**
- "Azure monitor alert rule order-22455340..."
- "Microsoft Account Security Notice (REF: MS-FRA-6673829-KP)"
- **IP Address:** `40.107.200[.]103` (Legitimate Microsoft Relay).
## Response Actions
- **Containment:** Organizations should block the specific phone numbers at the telecommunications level if possible.
- **Eradication:** Microsoft is required to identify and terminate the Azure subscriptions/tenants generating these malicious alert rules.
- **Recovery:** Users who called the numbers should be treated as compromised (password resets, session revocations, and device scanning).
## Lessons Learned
- **Key Takeaways:** Even "perfect" email authentication (SPF/DKIM/DMARC) does not guarantee the content of an email is safe if the service itself (Azure) is abused.
- **System Weakness:** The "Alert Description" field in Azure Monitor Lack of input validation or content filtering for phishing keywords.
## Recommendations
- **Employee Training:** Instruct staff that legitimate Microsoft billing alerts will rarely, if ever, request an immediate callback to a provided phone number to "stop" a charge.
- **Verification:** Always verify billing through the official Microsoft 365 Admin Center or Azure Portal directly, rather than via links or phone numbers in emails.
- **Policy:** Implement "Stay on the Line" or "Report Message" procedures within the email client even for "Internal" or "Trusted" sender domains.