Using trusted enterprise monitoring systems as a tool for credentialing their deception, threat actors have begun to make a subtle but highly effective shift in phishing tradecraft. Through the use of Microsoft Azure Monitor alerting mechanisms, attackers are orchestrating callback phishing campaigns that blur the line between legitimate security communication and malicious activity.
Organizations commonly rely upon these alerts to monitor system health and security events in real time, but they are now being repurposed to convey a false sense of urgency, encouraging recipients to initiate contact with attacker-controlled telephone numbers.
By using messages originating from authentic Microsoft infrastructure, the tactic represents a significant improvement over conventional phishing, thereby evading many of the technical and psychological safeguards users have been trained to rely on.
Microsoft Azure Monitor is now one of a growing number of legitimate enterprise tools increasingly repurposed to facilitate phishing operations, joining a growing roster of legitimate enterprise tools.
The platform is widely deployed to aggregate telemetry across applications and infrastructure, which assists organizations in tracking performance metrics, uncovering anomalies, and responding to operational disruptions in real time. The adversaries are now exploiting precisely this trusted functionality.
The service is reporting that users are receiving alert emails directing them to purported “suspicious charges” or irregular “invoice activity” based upon recent activity. In order to ensure that such notifications merge seamlessly into routine administrative workflows, they align closely with the types of events that are flagged by the platform, making it extremely difficult to distinguish them from real alerts and increasing the likelihood that users will engage with them.
In the last several weeks, a noticeable increase in such activity has been observed, with multiple individuals reporting receiving alert notifications that alerts were received warning of suspicious charges or anomalous billing events connected to their accounts.
To strengthen the authenticity of these messages, they often incorporate fabricated transaction metadata, such as merchant identifiers, transaction IDs, timestamps, and dollar amounts, to mirror legitimate security advisories.
Upon receiving the message, recipients are urged to immediately act under the pretext of fraud prevention, typically by contacting a designated support number allegedly relating to the account security department.
In order to prompt quick response by users, the language employed is deliberately urgent yet procedural, implying risks of account suspension or additional financial exposure.
Unlike more conventional phishing attempts, this campaign is distinguished not only by the narrative sophistication it contains, but also by the delivery mechanism it employs.
Alerts are sent directly through Microsoft Azure Monitor using legitimate Microsoft-associated email channels, including standard no-reply addresses, rather than through spoofed domains or lookalike infrastructure.
These communications, as a result, successfully satisfy email authentication protocols such as SPF, DKIM, and DMARC, which enable them to pass through secure email gateways without raising typical red flags.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
Like this:
Like Loading...
Related
