Microsoft Azure Monitor Alerts Used in Callback Phishing Scam

In recent phishing attacks, threat actors have been exploiting Microsoft Azure Monitor alerts to deceive users into believing they are receiving warnings from the Microsoft Security Team regarding unauthorized charges on their accounts.

Microsoft Azure Monitor is a monitoring service offered by Microsoft that gathers and analyzes data from various Azure resources, applications, and infrastructure. It allows users to monitor performance, receive billing notifications, identify issues, and trigger alerts based on specific conditions.

Reports have surfaced of individuals receiving Azure Monitor alerts over the past month, cautioning them about suspicious charges or invoice activities on their accounts. The alerts prompt recipients to contact a provided phone number for further assistance.

The phishing emails mimic legitimate Microsoft billing alerts, stating that unauthorized charges have been detected on the recipient’s account. The email instructs the recipient to verify the transaction to prevent potential account suspension or additional fees. The message includes details such as the merchant name, transaction ID, amount, and date to add legitimacy to the scam.

Interestingly, these phishing emails are not spoofed but are sent directly from the legitimate azure-noreply@microsoft.com email address, making them appear more credible. Additionally, the emails pass SPF, DKIM, and DMARC email security checks, further enhancing their legitimacy.

Attackers behind this campaign leverage Azure Monitor’s alerting capabilities to create alerts for easily triggered conditions related to new orders, payments, invoices, and other billing events. By inputting their phishing message in the alert description field, they can craft convincing messages that appear to originate from Microsoft.

These phishing emails are disseminated by configuring alerts to send emails to a mailing list controlled by the attackers. This method helps maintain the original Microsoft headers and authentication results, allowing the emails to evade spam filters and user suspicion.

Types of Alert Categories Used in the Campaign

• Azure monitor alert rule order-22455340 was resolved for invoice22455340
• Azure monitor alert rule Invoice Paid INV-d39f76ef94 was resolved for invd39f76ef94
• Azure monitor alert rule Payment Reference INV-22073494 was resolved for purchase22073494
• Azure monitor alert rule Funds Successfully Received-ec5c7acb41 was triggered for subec5c7acb41
• Azure monitor alert rule MemorySpike-9242403-A4 was triggered
• Azure monitor alert rule DiskFull-3426456-A6 was triggered for locker3426456

The attackers aim to create a sense of urgency by highlighting unusual charges, such as the $389 Windows Defender transaction, to prompt recipients to call the provided phone number. Previous callback phishing campaigns have led to credential theft, payment fraud, or the installation of remote access software.

These phishing emails, with a corporate theme, may be used to gain initial access to corporate networks for subsequent attacks. Users are advised to approach any Azure or Microsoft alert containing a phone number or urgent request to resolve billing issues with caution.

Protecting Against Phishing Scams

It is crucial for individuals and organizations to remain vigilant against phishing scams and take proactive measures to protect themselves. Being aware of common phishing tactics, verifying the authenticity of emails from purported sources, and refraining from clicking on suspicious links or providing personal information can help mitigate the risk of falling victim to such schemes.