Threat actors are abusing Microsoft Azure Monitor to send callback phishing emails that impersonate the Microsoft Account Security Team and warn of unauthorized billing charges. These alerts are sent from [email protected] and pass SPF, DKIM, and DMARC checks, using editable alert descriptions and attacker-controlled mailing lists to deliver urgent invoice-themed messages urging victims to call fraudulent phone numbers. #AzureMonitor #WindowsDefender
Keypoints
- Attackers create Azure Monitor alerts with invoice- and payment-themed descriptions that include callback phishing instructions.
- Emails originate from [email protected] and pass SPF, DKIM, and DMARC, making them appear legitimate.
- Alerts are triggered by easily met conditions and forwarded via attacker-controlled mailing lists while preserving original Microsoft headers.
- The campaign uses urgencyโsuch as a fake $389 Windows Defender chargeโto coax victims into calling numbers that can lead to credential theft, payment fraud, or remote access installations.
- Treat any Azure or Microsoft alert that includes a phone number or urgent billing request with suspicion and verify via official account portals or support channels.