Criminals disguise themselves as Microsoft security team
Criminals misuse legitimate Azure Monitor emails for phishing attacks and use them to send deceptively genuine invoices and security warnings. The notifications look like official notices about alleged problems with Microsoft accounts.
Lure victims with warnings
Azure Monitor is the central service that companies use to monitor resources, applications and infrastructure in the Microsoft cloud, evaluate performance data and trigger automatic alarms. It is precisely this alarm function that the fraudsters are now using and making their contact attempts look like urgent security notifications. The cases currently being observed involve allegedly unauthorized debits, such as a “Windows Defender” payment for $389.90. The emails describe the alleged incident with transaction ID and date and claim that payment was temporarily stopped. Recipients should call one of the provided phone numbers for security verification to avoid account suspension or additional charges.
What is explosive is that the messages do not come from fake senders, but are sent directly via Azure Monitor and therefore from the real address azure-noreply@microsoft.com. Because they are sent via Microsoft’s infrastructure, the emails pass SPF, DKIM and DMARC checks and appear legitimate to many filters and users. The original headers and authentication results are also retained, even if the emails are forwarded to the actual targets via attackers’ distribution lists.
The perpetrators create alarm rules in Azure Monitor for easily triggered events – such as new orders, payments or generated invoices – and link these to their manipulated description texts. BleepingComputer has seen several variants of such rules, including supposedly automated messages about invoices, but also technical alarm messages. What they have in common is that they look like typical company notifications and therefore fit through particularly well in corporate environments.
Callback attacks
The aim of the campaign is to get a foot in the door via the callback contact – for example for social engineering, access to access data, fraudulent payments or the installation of remote software. Although the specific numbers were not tested in the current case, similar “callback” attacks in the past resulted in precisely such follow-up steps.
For companies, this can be the first step towards further attacks on the network. Users should therefore be suspicious if Azure or Microsoft emails suddenly contain telephone numbers and urgent calls to action regarding billing or security. Instead of dialing the number provided, we recommend looking directly at your own Azure or Microsoft 365 portal – or contacting the well-known official support channels.
