Azure Monitor Alert Abuse: Detecting Callback Phishing Campaigns
- [01] Attackers use legitimate Azure infrastructure to send phishing emails that bypass email filters and deceive users into calling fraudulent support centers.
- [02] Microsoft Azure Monitor and its Action Group notification system are the primary mechanisms leveraged to distribute these malicious notifications.
- [03] Organizations should restrict Action Group creation permissions and train employees to verify suspicious alerts through official internal communication channels.
Overview
Threat actors have been identified leveraging legitimate Microsoft infrastructure to conduct sophisticated Phishing operations. Specifically, according to BleepingComputer, attackers are abusing Azure Monitor’s notification system to send callback phishing emails that appear to originate from the “Microsoft Security Team.” By using the actual azure-noreply@microsoft.com sender address, these campaigns successfully bypass many automated email security solutions that white-list official Microsoft domains.
Technical Analysis of Action Group Abuse
Azure Monitor allows administrators to create “Action Groups,” which define a collection of notification preferences (such as email, SMS, or push notifications) triggered by specific system alerts. The TTP used in this campaign involves attackers gaining access to an Azure environment—often through stolen credentials or by creating a free trial account—and configuring an Action Group containing the victim’s email address.
Once the Action Group is established, the attacker triggers an alert. Because Microsoft sends a legitimate notification to the user informing them they have been added to the group, the attacker can customize certain fields within the notification template to include a fraudulent message and a phone number. This method is highly effective for preventing Azure-based social engineering attacks from being detected by SOC teams, as the email’s headers, DKIM signatures, and SPF records are all valid and point directly to Microsoft.
The Callback Phishing Mechanism
Unlike traditional phishing that relies on malicious links or attachments, callback phishing (also known as “vishing” or voice phishing) directs the recipient to call a provided telephone number. The emails often claim there has been an unauthorized charge on the user’s account or a change to their subscription status. When the victim calls the number, they are connected to a fraudulent support center where the attacker attempts to convince them to install remote monitoring and management (RMM) software, providing the adversary with a foothold for Lateral Movement or data exfiltration.
Detecting Azure Monitor Callback Phishing
Security teams must focus on the context of the alerts rather than the reputation of the sender domain. Because the emails originate from a trusted Microsoft service, traditional IoC lists for malicious domains are ineffective. Instead, detecting Azure Monitor callback phishing requires monitoring for unexpected Action Group creations or modifications within the Azure portal.
Administrators should check for:
- Action Groups containing external or unfamiliar email addresses.
- Alerts that use generic or alarmist language regarding billing or security that does not align with internal naming conventions.
- Inbound emails from
azure-noreply@microsoft.comthat contain phone numbers or instructions to contact “support” outside of official Microsoft support tickets.
Mitigation and Recommendations
To protect the environment, organizations should focus on securing Azure Action Group configurations through strict Identity and Access Management (IAM) policies. By default, many users may have permissions to create or modify monitoring resources; these should be restricted to a limited set of administrators.
- Restrict IAM Permissions: Ensure the
Monitoring ContributororMonitoring Readerroles are only assigned to authorized personnel. Use the principle of least privilege to prevent unauthorized users from creating Action Groups. - SIEM Integration: Configure your SIEM to ingest Azure Activity Logs. Create an alert for
Microsoft.Insights/actionGroups/writeoperations to identify when new notification groups are created. - User Awareness: Inform employees that legitimate Microsoft billing or security alerts will never require them to call a phone number found within the body of an automated email. All account issues should be verified via the official Microsoft 365 or Azure admin portals.
- Endpoint Protection: Since the goal of the callback is often to install RMM tools, ensure your EDR is configured to block or alert on the execution of common remote access tools like AnyDesk, ScreenConnect, or TeamViewer when launched from suspicious browser processes.
Advertisement