Microsoft Azure Monitor alerts abused for callback phishing attacks

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/

ONE SENTENCE SUMMARY:

Attackers misuse Azure Monitor alerts to deliver authenticated callback-phishing emails, impersonating Microsoft billing fraud notices and bypassing email defenses.

MAIN POINTS:

1. Azure Monitor normally collects telemetry and triggers alerts for Azure resources and billing events.
2. Recipients report alert emails alleging suspicious invoices or charges requiring immediate phone contact.
3. Messages originate from legitimate azure-noreply@microsoft.com rather than spoofed domains.
4. Delivered emails pass SPF, DKIM, and DMARC, increasing trust and inbox placement.
5. Actors create easily triggered alert rules tied to orders, payments, and invoice conditions.
6. Alert description fields allow arbitrary text, enabling insertion of phishing instructions and phone numbers.
7. Alerts are sent to attacker-controlled mailing lists that forward to many targets.
8. Forwarding preserves Microsoft headers and authentication results, helping evade filters and scrutiny.
9. Rule names mimic billing notifications, sometimes mixing in technical alerts like memory or disk spikes.
10. Goal is urgent callback leading to credential theft, payment fraud, remote access installation, or network intrusion.

TAKEAWAYS:

1. Treat Microsoft/Azure alert emails containing phone numbers as highly suspicious.
2. Authentication passes don’t guarantee legitimacy when platforms are abused for message delivery.
3. Restrict who can create/modify Azure Monitor alert rules and notification recipients.
4. Monitor for unusual alert rules with invoice/payment language in descriptions.
5. Train users to verify billing issues via official portals, not numbers provided in alerts.