{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-monitor/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Monitor"],"_cs_severities":["low"],"_cs_tags":["azure-monitor","callback-phishing","email"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCallback phishing campaigns are leveraging Microsoft Azure Monitor to bypass traditional email security measures. Since at least March 2026, attackers have been creating malicious alert rules within their own Azure tenants, embedding phishing lures within the description field of the alert. They then add victim email addresses to action groups associated with these alerts. When the alert is triggered, Azure Monitor sends notification emails directly to the victims from \u003ca href=\"mailto:azure-noreply@microsoft.com\"\u003eazure-noreply@microsoft.com\u003c/a\u003e. Because these emails originate from a legitimate Microsoft address, they pass SPF, DKIM, and DMARC checks, evading typical email security filters. The phishing lure typically involves financial or billing themes, such as fake invoices, payment references, or order confirmations, designed to induce victims to call a provided phone number.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates an Azure account and sets up an Azure Monitor alert rule.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a phishing lure, embedding it within the description field of the alert rule. The lure often involves financial themes to induce a callback.\u003c/li\u003e\n\u003cli\u003eThe attacker adds target email addresses to an action group associated with the alert rule.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the Azure Monitor alert rule, causing a notification email to be sent.\u003c/li\u003e\n\u003cli\u003eMicrosoft sends an email from \u003ca href=\"mailto:azure-noreply@microsoft.com\"\u003eazure-noreply@microsoft.com\u003c/a\u003e to the victim, containing the phishing lure in the body of the email.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email, perceives it as legitimate due to the sender address, and is prompted to call a provided phone number.\u003c/li\u003e\n\u003cli\u003eThe victim calls the phone number, connecting them to the attacker or an associate.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to extract sensitive information, facilitate fraudulent payments, or install remote access tools.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful callback phishing attacks can lead to credential theft, financial fraud, and unauthorized remote access to victim systems. The abuse of Azure Monitor alerts increases the likelihood of success because emails originate from a trusted Microsoft address, bypassing common email security filters. The exact number of victims is unknown, but organizations across various sectors are potentially vulnerable. If the attack succeeds, victims may suffer financial losses, data breaches, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;M365 Azure Monitor Alert Email with Financial or Billing Theme\u0026quot; to your SIEM and tune for your environment to detect suspicious emails (rule title).\u003c/li\u003e\n\u003cli\u003eImplement a mail flow rule to flag or quarantine Azure Monitor notification emails that contain phone numbers or financial language in the body (description).\u003c/li\u003e\n\u003cli\u003eBlock the sender pattern \u003ca href=\"mailto:azure-noreply@microsoft.com\"\u003eazure-noreply@microsoft.com\u003c/a\u003e in your email security gateway if confirmed as phishing (iocs).\u003c/li\u003e\n\u003cli\u003eReport suspected abusive Azure subscription IDs (found in email headers) to Microsoft abuse team for takedown (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-monitor-phish/","summary":"Adversaries are abusing Azure Monitor alert rules to deliver callback phishing emails from Microsoft's legitimate azure-noreply@microsoft.com address, embedding fraudulent billing or security lures in the alert rule description.","title":"Azure Monitor Alert Abuse for Callback Phishing","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-monitor-phish/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Monitor","version":"https://jsonfeed.org/version/1.1"}