Azure Monitor Alerts Abused in Callback Phishing Campaign

Prepared by: Adam Skupien, Vulnerability Security Analyst | Published: Mon 23 March 2026

Purpose

Microsoft Azure Monitor alert emails are being abused in a callback phishing campaign. In reported cases, the emails are sent through legitimate Microsoft infrastructure and may originate from legitimate Microsoft-owned addresses such as azure-noreply@microsoft.com. The malicious element is not sender spoofing, but the content of the alert itself, which uses fraudulent billing, account, or security language to pressure recipients into calling an attacker-controlled phone number. 

Details

Azure Monitor uses action groups to send alert notifications by email and other channels when an alert rule is triggered. Public reporting and Microsoft-hosted responses indicate attackers are abusing this workflow by adding target email addresses as alert recipients, embedding scam callback content in the alert, and then triggering the rule so Azure delivers the message through Microsoft’s normal notification pipeline.

To do this, the attacker uses an Azure identity with sufficient permissions to create or modify alert rules and associated action groups. That access may come from an attacker-controlled Azure subscription or a compromised subscription. Public reporting to date more strongly supports abuse of legitimate Azure alerting than compromise of every organization that receives one of these emails. In practice, this means attackers may only need a list of target email addresses, along with access to Azure alerting capability (an Azure subscription that they control), to deliver the lure.

The key takeaway for recipients is that a Microsoft sender address, valid email authentication, or Microsoft branding does not by itself make the message trustworthy. In this campaign, the delivery infrastructure may be legitimate while the message body is malicious. Because these messages are delivered through legitimate Microsoft infrastructure, they are likely to pass standard email authentication checks such as SPF, DKIM, and DMARC. As a result, successful email authentication should not be treated as proof that the alert content itself is legitimate. 

Microsoft’s expected handling model for Azure Monitor alerts is for recipients to review and validate them through the Azure portal and related alert workflows, not by calling a phone number included in the email. Recipients should not call phone numbers or click links in suspicious Azure alert emails. Any claimed alert, billing issue, or account problem should instead be verified directly through the appropriate Microsoft or Azure portal using a trusted bookmark or manually entered address.

Recommendations

Do not use callback details contained in unexpected Azure alert emails. Verify alerts directly in the Azure or Microsoft account portal. Treat urgent billing, refund, fraud, or “security team” language as suspicious, even when the sender appears legitimate.

Review alert rules and action groups for unexpected recipients or recent unauthorized changes.

At the email gateway:

• If the organisation does not use Azure Monitor alerts, quarantine or reject these messages broadly.
• If the organisation does use Azure Monitor alerts, allow them only to designated operational mailboxes or groups and quarantine them for all other recipients.

References

• https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/

• https://learn.microsoft.com/en-au/answers/questions/5824634/receiving-phishing-email-from-azure-monitor

• https://malwaretips.com/blogs/microsoft-azure-alert-was-triggered-scam-exposed-investigation/

• https://windowsreport.com/microsoft-azure-monitor-abused-to-send-phishing-emails-from-legitimate-addresses/