Microsoft Azure Monitor alerts abused for callback phishing attacks

Microsoft Azure Monitor alerts abused for callback phishing attacks

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Information:

   Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on your account.

  Threat actors are abusing Microsoft Azure Monitor alerts for callback phishing, impersonating Microsoft to warn users of fake unauthorized charges.

  By sending these alerts from the legitimate azure-noreply@microsoft.com address, attackers successfully bypass standard email security protocols like SPF, DKIM, and DMARC.

  The alerts use custom descriptions, typically claiming a fake $389.90 charge, to trick victims into calling a fraudulent support number.

  During the call, attackers use social engineering to steal credentials, commit fraud, or install remote access software, gaining initial access to corporate networks.

  To mitigate this, organizations should educate users about this tactic and monitor endpoints for unauthorized remote management tools.

  The primary impact of this campaign is the successful circumvention of standard email security controls because the phishing emails are dispatched directly from Microsoft's legitimate Azure infrastructure, they effortlessly pass SPF, DKIM, and DMARC authentication checks. This allows the malicious messages to land directly in users' primary inboxes, completely bypassing Secure Email Gateways and standard spam filters.

Recommendation :

  • Organizations should immediately update their Security Awareness Training programs to specifically highlight callback phishing tactics, emphasizing to employees that even emails originating from trusted, legitimate domains like Microsoft can contain malicious social engineering traps.
  • Employees should be instructed to navigate directly to vendor portals or consult internal IT departments, rather than using phone numbers or links provided within the alarming emails.
  • Security teams should actively monitor network endpoints for the unauthorized installation of remote access software, such as AnyDesk or TeamViewer, as these are primary indicators of a successful compromise.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
065 725 7405 (Ms.Donraya)

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2026-0639

 16/03/2026

17/03/2026

OpenHarmony v6.0 and prior versions

Denial of Service

5.5

in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory.

Update to version OpenHarmony v6.0.0.1

https://nvd.nist.gov/vuln/detail/CVE-2026-0639

 

 
2

CVE-2025-66376

05/01/2026

18/03/2026

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13

Cross-site Scripting

7.2

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

Update to version 10.0.18 and 10.1.13 or later.

https://nvd.nist.gov/vuln/detail/CVE-2025-66376

 
3

CVE-2026-1276

19/03/2026

19/03/2026

IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14

Cross-site Scripting

5.4

BM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

BM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14

https://app.opencve.io/cve/CVE-2026-1276
 4

CVE-2026-26931

19/03/2026

19/03/2026

Elastic Metricbeat
8.x: All versions from 8.0.0 up to and including 8.19.12
9.x: All versions from 9.0.0 up to and including 9.2.4

Memory allocation

5.7

This vulnerability occurs in the Prometheus remote_write HTTP handler, where the application does not properly restrict memory allocation size. When processing input containing excessively large size values, Metricbeat attempts to allocate an excessive amount of memory, potentially leading to a Denial of Service (DoS) condition due to excessive allocation (CAPEC-130).

Update to version version 8.19.13, 9.2.5

https://discuss.elastic.co/t/metricbeat-8-19-13-9-2-5-security-update-esa-2026-09/385532

 
5

CVE-2026-0630

02/02/2026

19/03/2026

TP-Link
Archer BE230 v1.2: from 0 before 1.2.4 Build 20251218 rel.70420
AXE75 v1.0: from 0 before 1.5.3 Build 20260209 rel. 71108

Command Injection

8.0

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) and Archer AXE75 v1.0 allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability.

BE230 --> 1.2.4 Build 20251218 rel.70420
AXE75 --> 1.5.3 Build 20260209 rel.71108

https://www.cve.org/CVERecord?id=CVE-2026-0630

 

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks​

21/03/2026​

Phishing / Social Engineering​

   The FBI and CISA have warned that Russian-linked hacker groups are continuously targeting Signal and WhatsApp users with phishing techniques. These attacks trick victims into providing sensitive information, such as OTPs (One-Time Passwords) or verification codes. Once attackers obtain this information, they gain immediate control of the account, accessing private messages, contact lists, and allowing them to impersonate users and deceive others. Numerous accounts have reportedly been compromised, particularly targeting high-profile individuals such as government officials, politicians, and journalists. The attacks don't penetrate the app's encryption but target the user directly. Therefore, the agencies advise caution regarding suspicious links or messages, urging users not to share OTPs with others, and recommending the use of two-factor authentication (2FA) for enhanced security.​
  • Never disclose your OTP/Verification Code to anyone.​
  • Avoid clicking on links from untrusted messages.​
  • Enable Multi-Factor Authentication (MFA/2FA).​

Ref:https://www.scworld.com/brief/ai-generated-malware-slopoly-used-in-interlock-ransomware-attacks

31 March 2026

Viewed 61 time

Engine by shopup.com