Microsoft Azure alerts are being used in a new phishing scam
Michael Tunstall
July 2, 2026
Phishing emails are becoming increasingly convincing.
For years, we've been told to look out for poor spelling, strange email addresses, and messages that just don't feel right.
But cyber criminals are changing their approach.
Instead of pretending to be trusted companies, they're increasingly finding ways to use legitimate platforms to deliver their scams.
The latest example involves Microsoft Azure Monitor.
Why these emails look genuine
Azure Monitor is Microsoft's monitoring service for cloud environments.
Businesses use it to receive alerts about system performance, billing events, security issues, and other important notifications.
If your organisation uses Microsoft Azure, receiving emails from Azure Monitor is completely normal.
That's exactly why this latest scam is proving effective.
Rather than spoofing Microsoft, attackers are abusing Azure Monitor's legitimate alerting system to send phishing messages from genuine Microsoft domains.
Because the emails are sent through Microsoft's own infrastructure, they can appear far more trustworthy than traditional phishing emails.
What the scam looks like
Typically, the email claims there's an urgent issue that needs your attention.
It might mention:
Unexpected charges
A billing problem
Suspicious account activity
An account suspension
An invoice requiring immediate action
The goal is to create a sense of urgency.
Recipients are often encouraged to call a phone number, speak to a support representative, or take immediate action before supposedly losing access to their account.
How attackers are doing it
Azure Monitor allows authorised users to create custom alerts based on specific events.
These alerts can include customised messages that are automatically emailed when certain conditions are met.
Attackers are exploiting this functionality by creating simple alert rules and replacing the notification text with their own phishing message.
The result is an email that genuinely originates from Microsoft's systems while containing fraudulent instructions.
It's another example of attackers abusing trusted services rather than attempting to imitate them.
Why this matters
Many organisations rely on email filtering to identify suspicious messages.
While these tools remain extremely important, they aren't designed to block every email sent from legitimate platforms.
As phishing attacks evolve, it's becoming increasingly important for employees to verify unexpected requests, even when they appear to come from trusted organisations.
What should you do?
If you receive an unexpected Azure alert:
Don't panic or rush to respond.
Don't call any phone numbers included in the email.
Don't click links simply because the email appears genuine.
Sign in to your Azure portal directly through your web browser and check for notifications there.
If you're unsure, contact your IT provider before taking any action.
Taking a few extra minutes to verify a message could prevent a costly security incident.
The bigger picture
This isn't the first time attackers have abused trusted platforms, and it certainly won't be the last.
We've already seen similar techniques using services from companies such as PayPal and Google.
The common theme is simple.
Cyber criminals know that people trust recognised brands.
Instead of creating fake emails, they're increasingly finding ways to make legitimate services work in their favour.
That's why cyber security is no longer just about spotting spelling mistakes or suspicious sender addresses.
It's about slowing down, verifying unexpected requests, and making sure your business has the right technical controls and user awareness in place.
If you're not confident your employees would recognise this type of attack, now is a good time to review your cyber security awareness and email protection.