What happened
Attackers are abusing Microsoft Azure Monitor alerts to send callback phishing emails that appear to come directly from [email protected], using legitimate Microsoft infrastructure to increase trust and bypass email security checks. According to the report, the campaign works by creating Azure Monitor alerts for easily triggered billing-related events such as orders, invoices, or payments, then inserting callback phishing text into the alert description field. The emails warn recipients about a fake unauthorized charge and urge them to call a listed phone number, creating urgency around account suspension or fraud review. Because the messages are sent through Microsoft’s legitimate platform, they pass SPF, DKIM, and DMARC checks and preserve authentic Microsoft headers, making them more likely to evade spam filters and user suspicion.Â
Who is affected
Organizations and users receiving Azure billing or monitoring emails are affected, particularly those who may trust messages sent from legitimate Microsoft infrastructure and respond to callback phishing prompts.Â
Why CISOs should care
The campaign shows how attackers can weaponize trusted cloud notification systems to deliver phishing messages that bypass standard email authentication controls and may be used to gain access to corporate environments.Â
3 practical actions
- Scrutinize Azure alerts containing phone numbers. Treat any Microsoft or Azure security notice that asks users to call a number about billing or fraud with suspicion.Â
- Review alerting workflows in Azure Monitor. Check whether alert descriptions and email destinations could be abused to relay malicious callback content.Â
- Train users on callback phishing. Make sure employees know that legitimate Microsoft alerts should not be trusted solely because they pass email authentication checks.
The campaign highlights how attackers are increasingly abusing trusted platforms to deliver scams, a growing trend across modern phishing operations.