I keep getting well-crafted fishing emails from Azure alerts

Question

Is anyone else getting suprious alerts from Azure? They don't match any alarm I'd expect to get, so they seem to be fishing. But all the headers in the message make it seem very legit -- sent from Azure, all microsoft domains, and all the links I can find go to azure correctly. But the alarm being reported isn't somtehing I have configured, and doesn't really make sense in the first place.

Here's the most recent one,

Alert rule description

MICROSOFT CORPORATION BILLING AND ACCOUNT SECURITY NOTICE. Our system has detected a potentially unauthorized charge on your account. Transaction Details: Item name: Windows Defender. Transaction ID: PP456-887A-22B. Amount: 459.90 USD. Date: 03/16/2026. If you did NOT authorize this payment, contact our 24/7 Microsoft Account Security Support at +1 (805) 316-9716. We apologize for any inconvenience and appreciate your prompt response. Microsoft Account Security Team.

RuleID

/subscriptions/########-###-###-81245d175f13/resourceGroups/httpz-#######/providers/Microsoft.Insights/metricAlerts/CloudScout-#######-A6

Metric name

ServiceApiHit

Metric namespace

vaults/receipt5084041

Dimensions

microsoft.resourceId = /subscriptions/########-####-####-####-81245d175f13/resourcegroups/httpz-#######/providers/microsoft.keyvault/vaults/receipt#######

Time Aggregation

Total

Period

Over the last 1 mins

Operator

GreaterThan

Threshold

0

Criterion Type

StaticThresholdCriterion

Dynamic Threshold

-

Sensitivity

Dynamic Threshold

-

Failing Periods

I've received about 6 of these in the last two weeks. Since neither the alarm nor the resource the alarm monitors are part of my subscriptions, I can't even open a ticket that indentifies the issue.

Why is it possible to associate an email with an alarm when that email is not only associated with the alarm's subscription, but also associated with another active account's subscription? The lack of verification here seems like a pretty egregious security bug.

I can't block the sender because it's a legitimate Microsoft address, and would end up blocking alerts that I do need.

Answer 1

Hello mikeblas,

Thank you for posting your query on Microsoft Q&A platform.

By investigation we see that you’re describing closely aligns with a known scam pattern involving Azure alert emails.

In these cases, attackers first gain access to an Azure subscription and then deliberately configure alert rules to send notifications to external email addresses (such as yours). They subsequently trigger those alerts. While the emails are technically generated by Azure, the alert message content itself is authored by the attackers.

These emails typically include alarming language such as:

• references to a “Fraud Prevention System” or “Windows Defender,”
• warnings about large, suspicious charges,
• threats of account suspension, and
• a so‑called “Fraud Resolution” or “Support Hotline” phone number.

The objective is to pressure recipients into calling that number, where the scam continues.

Important guidance:

• Do not call any phone number mentioned in the email.
• Do not click any links included in the message.
• Simply delete the email.

It’s worth noting that these messages can appear convincing because they are sent from legitimate Microsoft email infrastructure. However, Microsoft does not include phone numbers or urgent call‑to‑action language like this in genuine Azure alert notifications.

Reference: https://malwaretips.com/blogs/microsoft-azure-alert-was-triggered-scam-exposed-investigation/

If the provided information helped, kindly consider marking the answer as "Accepted" and "Upvote" it. This helps other community members who may encounter a similar issue in the future.

If you have any queries, please feel free to reach out us.Hello Edward Waked,

Thank you for posting your query on Microsoft Q&A platform.

By investigation with the email address, and screenshot of the mail and discussion we had we see that you’re describing closely aligns with a known scam pattern involving Azure alert emails.

In these cases, attackers first gain access to an Azure subscription and then deliberately configure alert rules to send notifications to external email addresses (such as yours). They subsequently trigger those alerts. While the emails are technically generated by Azure, the alert message content itself is authored by the attackers.

These emails typically include alarming language such as:

• references to a “Fraud Prevention System” or “Windows Defender,”
• warnings about large, suspicious charges,
• threats of account suspension, and
• a so‑called “Fraud Resolution” or “Support Hotline” phone number.

The objective is to pressure recipients into calling that number, where the scam continues.

Important guidance:

• Do not call any phone number mentioned in the email.
• Do not click any links included in the message.
• Simply delete the email.

It’s worth noting that these messages can appear convincing because they are sent from legitimate Microsoft email infrastructure. However, Microsoft does not include phone numbers or urgent call‑to‑action language like this in genuine Azure alert notifications.

Reference: https://malwaretips.com/blogs/microsoft-azure-alert-was-triggered-scam-exposed-investigation/

If the provided information helped, kindly consider marking the answer as "Accepted" and "Upvote" it. This helps other community members who may encounter a similar issue in the future.

If you have any queries, please feel free to reach out us.

Answer 2

Hi,

Yes, recently (past few weeks) there have been malicious Azure Monitor Alert messages going out similar to what you have received. DO NOT call any phone number(s) in the email messages.

It appears what is happening is bad actors get access to an Azure subscription, set up Alerts with potential victim's email address (your email) set as recipient, then trigger alert. In the text of the alert they mention things like Fraud Prevention System, Windows Defender, some substantial $ amount, potentially unauthorized charge, account suspension, Fraud Resolution Hotline, etc., and their goal is for you to call a phone number.

They want you to call them so they can scam you. People have reported that if you call they want to connect to your PC using anydesk and then get you to access bank accounts so they can wire out money or similar.

Currently there isn't a good way to make them stop. You could create an email rule to move them to separate folder. I don't recommend blocking them permanently because they are from real Microsoft email address. The text of the alert is written by the scammers.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP