Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft Azure Monitor callback phishing campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A callback phishing campaign is abusing Microsoft Azure Monitor alerts to send fake billing warnings through legitimate Microsoft mail flow, making the messages more believable to recipients. The operation has been active over the past month and uses urgent notices about unauthorized charges to pressure people into calling attacker-controlled numbers. The trusted sender path and preserved authentication results raise the chance that the lure will bypass spam filters and user suspicion.

Related Happenings

QR code phishing surged across email threats in Q1 2026

Target Trend
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....

Open Happening

Microsoft 365 mailbox-rule abuse rises across breached accounts in Q4 2025

Target Trend
First: 13.04.2026 18:00 Last: 13.04.2026 18:00 Sources 1

About this happening: In **Q4 2025**, about **10%** of breached **Microsoft 365** accounts had malicious mailbox rules created within seconds of compromise, increasing **persistence**, **data theft**,...

Open Happening

Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign

Campaign
First: 09.03.2026 23:24 Last: 09.03.2026 23:24 Sources 1

About this happening: An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Global phishing and identity-compromise trend across Darktrace customers in 2025

Target Trend
First: 26.02.2026 17:00 Last: 26.02.2026 17:00 Sources 1

About this happening: **Darktrace** telemetry showed a sharp rise in **identity-driven phishing** across its **global customer base** in **2025**, with **more than 32 million** high-confidence phishing...

Open Happening

Timeline

  1. 21.03.2026 16:09 2 articles · 2mo ago

    Azure Monitor callback phishing campaign disclosed

    Initial Disclosure

    A callback phishing campaign is abusing Microsoft Azure Monitor alert messages to impersonate Microsoft Security Team billing warnings, using urgent unauthorized-charge language, attacker-controlled phone numbers, and legitimate [email protected] delivery that passes SPF, DKIM, and DMARC checks.

    Show sources
    Open in new tab