Skip to content

That Azure Monitor alert in your inbox might be a scam

You’ve been told for years to watch for the obvious signs. Bad grammar, a sketchy sender address, a link that doesn’t go where it claims. Spot those and you’re fine.

That advice is getting harder to follow, because the people running these scams have stopped making those mistakes.

Here’s one that’s making the rounds. An email shows up saying there’s a billing problem on your account. Suspicious charges, an invoice you don’t recognize, maybe a note that your account has been suspended. It comes from a real Microsoft domain. Your email security doesn’t flag it. And it’s a scam.

How a fake alert comes from a real Microsoft

The tool being abused here is Azure Monitor. If you run anything in Microsoft’s cloud, it’s the service that watches your systems and emails you when something needs attention. Performance dips, errors, billing events. Getting a notification from it is normal, which is exactly why this works.

The catch is that anyone can set up an alert in Azure Monitor. The person who creates it also writes the message that goes out. So an attacker creates an alert tied to some easily triggered condition, writes their own warning text into the description field, points it at a mailing list they control, and triggers it. The email that lands in your inbox is sent through Microsoft’s own system. It isn’t spoofed. It isn’t pretending to be Microsoft. It’s using Microsoft to deliver the message.

That’s the part that matters. Most email filters decide what’s safe partly by checking who sent it. An email genuinely sent from a trusted Microsoft domain clears that check without a fight. BleepingComputer, which documented the campaign, found the alerts were landing directly in inboxes. TechRadar Pro reported on it in March 2026.

Think of it like a phone call from someone who says they’re with your bank, and then reads off your real account number to prove it. The detail that’s supposed to confirm they’re legitimate is the thing the scam is built on.

Why this one is aimed at your business, not you personally

Notice what the email asks you to do. It doesn’t try to get you to click a link or enter a password, the moves your filters are tuned to catch. It tells you to call a phone number to sort out the problem. That’s a callback phishing attack, and the phone is where the real damage happens. A person picks up, sounds official, and walks you toward handing over account details, payment information, or remote access to a machine.

That request lands differently inside a company. A billing alert about suspended services or charges on the account is the kind of thing your bookkeeper, your office manager, or whoever handles vendor invoices is paid to take seriously. They’re supposed to act on these. An attacker who frames the bait as a finance problem is aiming straight at the people whose job is to resolve finance problems quickly.

This is also the same play we’ve seen before with other trusted names. The same trick ran through PayPal, and through Google’s tools, before it showed up in Azure Monitor. Take a service people already trust, use it as the delivery truck, and let the trust do the work. The platform changes. The method doesn’t.

What to do about it

The fix is a habit, not a better eye for typos. When an alert pushes you to act fast, especially to call a number, stop and verify it somewhere other than the email. Open your Azure account in a browser and check for the alert there. If a charge or a suspension is real, it shows up inside your account. If it isn’t in the portal, it isn’t real, no matter how official the email looks.

Make that the rule for your team, and be specific about it: nobody calls a number from an alert email. They go to the source and confirm first. The people most likely to see these messages are the ones handling billing, so they’re the ones who need the rule most.

This works because it doesn’t depend on anyone spotting the fake. The whole point of this attack is that the email looks real, comes from a real domain, and gets past the filter. You can’t out-squint it. You can refuse to act on any alert until you’ve confirmed it at the source, which costs about a minute and closes the door entirely.

The lesson from the old advice still holds, it just needs updating. The warning sign used to be a clumsy email. Now the warning sign is the email that looks perfect and wants you to call right now. If you’re not confident your team would pause on one of these, that’s worth fixing before one lands. We’re happy to help you put the verification habit in place and tighten how these alerts reach your inbox in the first place.