Microsoft Azure Monitor Alerts Abused for Callback Phishing Attacks

Microsoft’s Azure Monitor, a core observability service, has unexpectedly become a delivery vector for callback phishing. By leveraging the platform’s native email notifications, threat actors send messages that appear to originate from azure‑noreply@microsoft.com, complete with passing SPF, DKIM and DMARC checks. The emails mimic official billing alerts, citing unauthorized charges and urging recipients to call a phone number. Because the messages travel through Microsoft’s own infrastructure, they evade most spam filters and gain an unwarranted level of trust, raising the stakes for both individual users and corporate security teams.

Attackers create custom Azure Monitor alert rules that trigger on trivial events such as new orders or invoice generation. The description field, which accepts free‑form text, is populated with a fabricated billing warning and the malicious phone numbers. Once the rule fires, the platform sends the alert to a distribution list controlled by the adversary, which then forwards it to the target audience while preserving the original Microsoft headers. This technique retains legitimate authentication results, allowing the phishing payload to bypass ARC, SPF, and DMARC checks that would normally flag spoofed messages.

The abuse highlights a growing trend: cloud‑native services being repurposed for social engineering. Enterprises that rely on Azure Monitor for operational visibility must now treat any alert containing phone numbers or urgent billing requests as suspicious, regardless of its apparent authenticity. Recommended mitigations include restricting alert email recipients, disabling external forwarding, and implementing secondary verification for any financial‑related communications. As cloud providers tighten API permissions and audit logging, security teams should monitor for anomalous alert rule creations to detect early signs of this phishing vector before it reaches end users.