Watch out for suspicious Microsoft Azure Monitor alerts – it could be this shifty new callback phishing attack

News
By published

No, Azure Monitor did not just notify you

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • Phishing campaign abuses Microsoft Azure Monitor alerts
  • Fake “suspicious charges” emails bypass protections using legitimate domain
  • Attackers craft alerts with custom messages, similar to past Google Tasks and PayPal abuse

Microsoft Azure Monitor is the latest in the long line of legitimate tools being abused in phishing attacks. If you are used to getting notifications from this platform, be careful, as the emails are quite convincing and relatively difficult to spot.

Microsoft Azure Monitor is a cloud-based service that collects and analyzes data from applications and infrastructure, helping users monitor performance, detect issues, and respond to problems in real time.

In recent times, users have been getting emails directly from this platform, notifying them of “suspicious charges” and “invoice activity”.

Article continues below

Using mailing lists

The emails encourage the recipients to call the phone number provided in the alert, to sort the “problem” out. Many also state that the accounts are temporarily suspended, or that the funds are being placed on hold.

Since they are coming directly from Microsoft Azure Monitor, using a legitimate, trusted domain, these alerts largely bypass email protection services and land directly into people’s inboxes.

But these are not “real” alerts. As explained by BleepingComputer, who’s seen these campaigns in action, anyone can create alerts in Azure Monitor for “easily triggered conditions” such as new orders, payments, generated invoices, and other billing alerts. Whoever creates the alerts can also create the message to be sent in the description field, and that is where the fake warning is usually placed.

Finally, the attackers can set up the alert to be sent out to people on specific mailing lists. In this case, these lists are owned by the attackers, as well.

So, the MO is like this: set up an alert, trigger it, and send the notification to everyone on a predefined mailing list.

It is a simple and effective technique that we’ve seen being used before. In late February, TechRadar Pro reported on a similar campaign abusing Google Tasks, and before that, PayPal.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.