CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Abuse of Microsoft Azure Monitor alerting system in callback phishing campaigns

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are abusing Microsoft Azure Monitor’s alerting functionality to deliver callback phishing emails that impersonate Microsoft Security Team billing alerts. The emails are sent via Azure’s legitimate platform using the [email protected] address and pass SPF, DKIM, and DMARC checks, increasing their credibility. Attackers craft alerts with phishing messages in the description field, targeting users with fake unauthorized charge warnings to prompt urgent callback to fraudulent support numbers. The campaign leverages easily triggered alert rules tied to billing, invoice, payment, and resource-related events, forwarding emails to victim lists while preserving original Microsoft headers and authentication results to bypass spam filters.

Timeline

  1. 21.03.2026 16:09 1 articles · 1h ago

    Azure Monitor alert phishing campaign escalates with legitimate email delivery mechanism

    Threat actors are exploiting Microsoft Azure Monitor’s alerting platform to send callback phishing emails that bypass email security controls. Emails originate from [email protected] and pass SPF/DKIM/DMARC validation, carrying phishing messages embedded in alert descriptions tied to billing and resource events. Targets receive fake billing alerts prompting urgent callback to fraudulent support numbers, with prior campaigns linked to credential theft and remote access compromise.

    Show sources
    Open in new tab

Information Snippets

  • Azure Monitor alerting allows attackers to insert arbitrary phishing content into the alert description field, which is then delivered to targets via the legitimate [email protected] address.

    First reported: 21.03.2026 16:09
    1 source, 1 article
    Show sources

  • Emails sent through this method pass SPF, DKIM, and DMARC checks, appearing as legitimate Microsoft communications despite being crafted by attackers.

    First reported: 21.03.2026 16:09
    1 source, 1 article
    Show sources

  • Alert rules are triggered by conditions such as invoice payments, order processing, or resource spikes (e.g., DiskFull, MemorySpike), using themes designed to create urgency (e.g., a $389 Windows Defender charge).

    First reported: 21.03.2026 16:09
    1 source, 1 article
    Show sources

  • Attackers configure alerts to send emails to mailing lists under their control, which then forward the messages to targeted victims while preserving original Microsoft headers and authentication results.

    First reported: 21.03.2026 16:09
    1 source, 1 article
    Show sources

  • Callback phishing emails instruct recipients to call fraudulent support numbers (+1 864-347-2494, +1 864-347-4846), where prior campaigns have resulted in credential theft, payment fraud, or remote access software installation.

    First reported: 21.03.2026 16:09
    1 source, 1 article
    Show sources