<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Monitor - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-monitor/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 18:23:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-monitor/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Monitor Alert Abuse for Callback Phishing</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-monitor-phish/</link><pubDate>Wed, 03 Jan 2024 18:23:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-monitor-phish/</guid><description>Adversaries are abusing Azure Monitor alert rules to deliver callback phishing emails from Microsoft's legitimate azure-noreply@microsoft.com address, embedding fraudulent billing or security lures in the alert rule description.</description><content:encoded><![CDATA[<p>Callback phishing campaigns are leveraging Microsoft Azure Monitor to bypass traditional email security measures. Since at least March 2026, attackers have been creating malicious alert rules within their own Azure tenants, embedding phishing lures within the description field of the alert. They then add victim email addresses to action groups associated with these alerts. When the alert is triggered, Azure Monitor sends notification emails directly to the victims from <a href="mailto:azure-noreply@microsoft.com">azure-noreply@microsoft.com</a>. Because these emails originate from a legitimate Microsoft address, they pass SPF, DKIM, and DMARC checks, evading typical email security filters. The phishing lure typically involves financial or billing themes, such as fake invoices, payment references, or order confirmations, designed to induce victims to call a provided phone number.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker creates an Azure account and sets up an Azure Monitor alert rule.</li>
<li>The attacker crafts a phishing lure, embedding it within the description field of the alert rule. The lure often involves financial themes to induce a callback.</li>
<li>The attacker adds target email addresses to an action group associated with the alert rule.</li>
<li>The attacker triggers the Azure Monitor alert rule, causing a notification email to be sent.</li>
<li>Microsoft sends an email from <a href="mailto:azure-noreply@microsoft.com">azure-noreply@microsoft.com</a> to the victim, containing the phishing lure in the body of the email.</li>
<li>The victim receives the email, perceives it as legitimate due to the sender address, and is prompted to call a provided phone number.</li>
<li>The victim calls the phone number, connecting them to the attacker or an associate.</li>
<li>The attacker attempts to extract sensitive information, facilitate fraudulent payments, or install remote access tools.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful callback phishing attacks can lead to credential theft, financial fraud, and unauthorized remote access to victim systems. The abuse of Azure Monitor alerts increases the likelihood of success because emails originate from a trusted Microsoft address, bypassing common email security filters. The exact number of victims is unknown, but organizations across various sectors are potentially vulnerable. If the attack succeeds, victims may suffer financial losses, data breaches, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;M365 Azure Monitor Alert Email with Financial or Billing Theme&quot; to your SIEM and tune for your environment to detect suspicious emails (rule title).</li>
<li>Implement a mail flow rule to flag or quarantine Azure Monitor notification emails that contain phone numbers or financial language in the body (description).</li>
<li>Block the sender pattern <a href="mailto:azure-noreply@microsoft.com">azure-noreply@microsoft.com</a> in your email security gateway if confirmed as phishing (iocs).</li>
<li>Report suspected abusive Azure subscription IDs (found in email headers) to Microsoft abuse team for takedown (references).</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure-monitor</category><category>callback-phishing</category><category>email</category></item></channel></rss>