Technical Alert: Analysis of the Azure Monitor Alerts Phishing Campaign (2026)

Mar 24
3 min read

As the cybersecurity landscape in Vietnam grows increasingly complex, experts at ipsip.vn have identified an unprecedentedly sophisticated Callback Phishing campaign (also known as the BazarCall technique). Instead of spoofing email addresses, attackers are directly abusing Microsoft’s legitimate infrastructure to distribute fraudulent notifications.

1. The Perfect "Passport": Bypassing SPF, DKIM, and DMARC

The high success rate of this attack stems from the fact that the emails originate from the official address: azure-noreply@microsoft.com. Upon analyzing the headers of these phishing emails, all authentication results return a PASS status:

Plaintext

Authentication-Results: relay.mimecast.com;
	dkim=pass header.d=microsoft.com header.s=s1024-meo header.b=CKfQ8iOB;
	arc=pass ("microsoft.com:s=arcselector10001:i=1");
	dmarc=pass (policy=reject) header.from=microsoft.com;
	spf=pass (relay.mimecast.com: domain of azure-noreply@microsoft.com designates 40.107.200.103 as permitted sender) smtp.mailfrom=azure-noreply@microsoft.com

This implies that even the most advanced email security systems (such as Mimecast, Proofpoint, or Google Workspace) will trust this content, as it is digitally signed and delivered by Microsoft’s own servers.

*Microsoft Azure Monitor alert used in a callback phishing scam*

*Description field when creating an Azure Monitor alert*

2. Catalog of Identified "Lures" (Malicious Alert Rules)

Attackers utilize the Azure Monitor Alert Rules feature to generate alarming notifications targeting both Finance and Technical departments. Below are the specific rules frequently observed in the field:

Group 1: Fraudulent Invoices & Payments (Targeting Finance/Accounting)

These notifications mimic standard Microsoft Azure automated billing processes, prompting users to call a number to "cancel the transaction":

Azure monitor alert rule order-22455340 was resolved for invoice22455340
Azure monitor alert rule Invoice Paid INV-d39f76ef94 was resolved for invd39f76ef94
Azure monitor alert rule Payment Reference INV-22073494 was resolved for purchase22073494
Azure monitor alert rule Funds Successfully Received-ec5c7acb41 was triggered for subec5c7acb41

Group 2: Spurious System Failures (Targeting IT Administrators)

To deceive technical personnel, attackers create alerts regarding infrastructure performance, inducing fear of a system crash:

Azure monitor alert rule MemorySpike-9242403-A4 was triggered (Fake RAM spike alert)
Azure monitor alert rule DiskFull-3426456-A6 was triggered for locker3426456 (Fake disk space alert)

When users receive these alerts, they are often inclined to call the phone number included in the email for "technical support." At that point, the attacker guides them through installing remote-control software to facilitate account takeover and data exfiltration.

3. Defensive Solutions

This campaign exploits Feature Abuse rather than a traditional software vulnerability. Consequently, organizations must implement proactive defense-in-depth:

Azure Configuration Monitoring (Cloud Governance): Closely monitor all changes in Action Groups and Alert Rules. Any rules containing keywords like "Invoice" or "Payment" created by unauthorized users are immediate red flags.

*Cuộc tấn công Microsoft Azure khai thác Feature Abuse (lạm dụng tính năng)*

Enforce Zero Trust: Utilize IPSIP’s Infrastructure Security Solutions to control access to the Azure Portal, ensuring only MFA-authenticated users have the permission to create or modify alerts.

Standardize Incident Response (IR): When a billing alert is received, employees must verify it directly via the official Azure Billing Portal. Under no circumstances should they call phone numbers provided within the email body.

Is your business operating on the Cloud? If you require professional security monitoring, explore our services:

24/7 Managed SOC Services | Security Operations Center | IPSIP Vietnam

Managed Cloud Services | Cloud Migration & Infrastructure | IPSIP Vietnam

The Azure Monitor phishing campaign demonstrates the cunning of modern threat actors who leverage Microsoft’s own reputation as a shield. Identifying these Indicators of Attack (IoA), such as specific "MemorySpike" or "Invoice Paid" strings, is the most vital weapon for corporate self-defense.

-----

References: