This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 37%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Hi there,
The service that I haven’t started incurs a cost; The following resource groups were suddenly created on May 9th in the Azure portal:
NetworkWatcherRG and test 1 from Australia. test 1 resource group consists of many virtual machines.
I suppose there has been a security breach, and I’d like to dispute the incurred cost so far.
What should I do in terms of preventing this and the cost dispute?
Should I remove these services before being reviewed by Microsoft?
Best regards,
Lachezar
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Hi Lachezar Popov
Just checking in to see if the below answer provided by @Reza-Ameri helped.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
We haven't heard back from you checking to see if the above answer provided by Reza-Ameri helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Hi,
Please have a look at login logs and see if you observe any suspicious login or not.
It is recommended to directly contact Microsoft.
In case you want to remove them, make sure take screenshot and collect other helpful information.
Hi Reza-Ameri,
Thank you for the provided info.
I deleted the resource groups as you recommended and collected the corresponding info.
However, the sluggish Microsoft support will take any action not earlier than 12 May 2025.
You can imagine that these VMs created by the hacker might be used to attack other microsoft client accounts.
And there is no any faster way one to inform the technical support at least to start taking actions to close these loopholes immediately.
You may also report to Microsoft Security team which they response quicker.
Have a look at: