How to Detect and Block Azure Monitor Callback Phishing Attacks

In a concerning evolution of callback phishing tactics, attackers are now abusing legitimate Microsoft Azure infrastructure to target organizations. Recent intelligence indicates that threat actors are compromising Azure identities to configure Azure Monitor alerts, which then send convincing phishing emails impersonating the Microsoft Security Team.

For defenders, this presents a unique challenge: the emails originate from Microsoft's trusted infrastructure (notifications.azure.com or microsoft.com), meaning they often bypass standard email security filters that rely on sender reputation. This post breaks down the mechanics of this attack and provides the necessary detection queries and remediation steps to protect your organization.

Technical Analysis

The attack vector leverages the native "Action Group" feature within Microsoft Azure Monitor. Action Groups are collections of notification receivers defined by the user, designed to alert administrators about specific service health or metric alerts.

The Attack Flow:

1. Initial Compromise: Attackers obtain access to an Azure tenant, likely via credentials leaked from public repositories or through previously compromised user accounts.
2. Configuration: The attacker navigates to the Azure Monitor blade and creates or modifies an Action Group. They configure the "Email" receiver to point to an external target—the victim they intend to phish.
3. Payload Delivery: The attacker sets up an alert rule or triggers a test notification. Microsoft's backend services generate an email alert and send it to the email address specified in the Action Group.
4. Social Engineering: The victim receives an email officially signed by Microsoft, warning of "unauthorized charges" or "suspicious activity." The email urges the user to call a phone number contained in the message (a callback attack).

Affected Systems:

• Microsoft Azure Monitor
• Azure Action Groups
• Azure Activity Logs

Severity: High. While this is not a software vulnerability requiring a patch (CVE), it is a significant abuse of functionality. It allows attackers to weaponize trusted cloud resources, bypassing email gateways and compromising trust in legitimate vendor communications.

Defensive Monitoring

Security Operations Center (SOC) teams must monitor for the creation or modification of Action Groups, particularly those involving external email domains. Below are KQL queries for Microsoft Sentinel and PowerShell scripts to audit your current environment.

Microsoft Sentinel (KQL)

Use this query to detect when an Action Group is created or modified. It focuses on administrative operations within the Microsoft.Insights provider.

AzureActivity
| where CategoryValue == "Administrative"
| where OperationNameValue has "microsoft.insights/actiongroups/write" or 
        OperationNameValue has "microsoft.insights/actiongroups/delete" or
        OperationNameValue has "microsoft.insights/alertrules/write"
| project TimeGenerated, Caller, OperationNameValue, ActivityStatusValue, ResourceGroupName, Properties
| extend CallerIP = tostring(Properties["callerIPAddress"])
| order by TimeGenerated desc

Audit Action Groups with PowerShell

Use this PowerShell script to enumerate all Action Groups in your subscriptions and identify any email receivers that do not belong to your internal corporate domain.

# Requires Az PowerShell module
Connect-AzAccount

# Define your internal domain to compare against
$internalDomain = "@yourcompany.com"

$subscriptions = Get-AzSubscription

foreach ($sub in $subscriptions) {
    Select-AzSubscription -SubscriptionId $sub.Id
    Write-Host "Checking Subscription: $($sub.Name)" -ForegroundColor Cyan
    
    $actionGroups = Get-AzActionGroup -ErrorAction SilentlyContinue
    
    foreach ($ag in $actionGroups) {
        foreach ($receiver in $ag.EmailReceivers) {
            if ($receiver.EmailAddress -notlike "*$internalDomain") {
                Write-Host "[ALERT] External email found in Action Group: $($ag.Name)" -ForegroundColor Red
                Write-Host "    Email: $($receiver.EmailAddress)" -ForegroundColor Yellow
            }
        }
    }
}

Remediation

If you detect suspicious Action Groups or have fallen victim to this campaign, take the following steps immediately to secure your environment.

1. Audit and Remove Suspicious Action Groups

• Immediate Action: Log into the Azure Portal and navigate to Monitor > Alerts > Action Groups.
• Review: Identify any Action Groups that were created recently or contain email addresses that are not part of your organization.
• Delete: Remove any unauthorized Action Groups immediately to stop further alert delivery to external parties.

2. Enforce Conditional Access for Azure Management

• Prevent unauthorized access to the Azure portal by enforcing strict Conditional Access policies.
• Require Multi-Factor Authentication (MFA) for all users accessing the Azure management plane.
• Limit the creation of Action Groups to privileged roles (e.g., Global Admin, Cloud Application Admin) or specific security groups.

3. Scan for Leaked Credentials

• Since this attack often starts with leaked credentials, use tools like Microsoft Defender for Cloud or third-party scanners to check for exposed API keys or service principal secrets in public code repositories.
• Force a password reset for any service principals or users that may have been compromised.

4. User Awareness Training

• Inform your security team and helpdesk staff about this specific tactic.
• Advise users that while an email may come from a legitimate Microsoft source, the content (e.g., a request to call a support number regarding billing) should still be verified through official channels.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub