M365 Azure Monitor Alert Email with Financial or Billing Theme

  1[metadata]
  2creation_date = "2026/03/23"
  3integration = ["microsoft_exchange_online_message_trace"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects Azure Monitor alert notification emails with financial or billing themed subject lines delivered to organization
 11users. Adversaries abuse Azure Monitor alert rules to deliver callback phishing emails from Microsoft's legitimate
 12azure-noreply@microsoft.com address. Because the emails originate from Microsoft's own infrastructure, they pass SPF,
 13DKIM, and DMARC checks, bypassing email security filters and increasing victim trust. The attacker embeds a fraudulent
 14billing or security lure in the alert rule description, which is rendered in the notification email body. Observed
 15subject patterns include invoice numbers, payment references, and order confirmations.
 16"""
 17false_positives = [
 18    """
 19    Organizations that use Azure Monitor alert rules with financial or billing related naming conventions for legitimate
 20    infrastructure monitoring may trigger this rule. Review the email subject and recipient to determine if the alert
 21    originates from a known internal Azure subscription.
 22    """,
 23]
 24from = "now-9m"
 25language = "esql"
 26license = "Elastic License v2"
 27name = "M365 Azure Monitor Alert Email with Financial or Billing Theme"
 28note = """## Triage and analysis
 29
 30### Investigating M365 Azure Monitor Alert Email with Financial or Billing Theme
 31
 32Azure Monitor alert rules can be abused by adversaries to deliver callback phishing emails from Microsoft's legitimate `azure-noreply@microsoft.com` address. The attacker creates a metric or activity log alert in their own Azure tenant with a phishing lure embedded in the description field, then adds victim email addresses to an action group. When the alert fires, Microsoft sends the notification email — complete with the embedded lure — directly to the victims.
 33
 34### Possible investigation steps
 35
 36- Review the `email.subject` field to determine if the alert name matches known phishing patterns (e.g., `INV-`, `Payment Reference`, `order-`, `Funds Received`).
 37- Check the `email.to.address` field to identify which users received the email and whether they are high-value targets.
 38- Search for additional emails from `azure-noreply@microsoft.com` to the same recipient within a short time window. The attack typically sends both a "Fired" and "Resolved" notification, doubling phishing impressions.
 39- Look for an earlier "You're now in the X action group" notification email, which arrives before the phishing alert — this confirms the user was added to an external Azure Monitor action group.
 40- Check email message headers for the originating Azure subscription and resource group, which are embedded in the alert details.
 41- Contact the recipient to determine if they interacted with the email or called the phone number in the lure.
 42- If the victim called the number, initiate incident response for potential credential theft, payment fraud, or remote access tool installation.
 43
 44### False positive analysis
 45
 46- Legitimate Azure Monitor alerts with financial naming (e.g., a cost alert named "Invoice threshold exceeded") may match. Verify the alert originates from a known internal Azure subscription by examining the email body or message headers.
 47- Internal teams that name alert rules with billing-related terms for cost management should be documented as exceptions.
 48
 49### Response and remediation
 50
 51- If the email is confirmed as phishing, block the sender pattern and alert name in your email security gateway.
 52- Quarantine or delete the phishing emails from affected mailboxes.
 53- If the victim called the phone number, treat as a compromised account: reset credentials, revoke sessions, and audit for unauthorized access.
 54- Report the Azure subscription ID from the email headers to Microsoft abuse team for takedown.
 55- Consider implementing a mail flow rule to flag or quarantine Azure Monitor notification emails that contain phone numbers or financial language in the body.
 56"""
 57references = [
 58    "https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/",
 59]
 60risk_score = 21
 61rule_id = "a6129187-c47b-48ab-a412-67a44836d918"
 62severity = "low"
 63tags = [
 64    "Domain: Cloud",
 65    "Domain: Email",
 66    "Data Source: Microsoft 365",
 67    "Data Source: Microsoft Exchange Online Message Trace",
 68    "Use Case: Threat Detection",
 69    "Tactic: Initial Access",
 70    "Resources: Investigation Guide",
 71]
 72timestamp_override = "event.ingested"
 73type = "esql"
 74
 75query = '''
 76from logs-microsoft_exchange_online_message_trace.* metadata _id, _version, _index
 77
 78// Filter for Azure Monitor notification emails with financial/billing themed subjects
 79| where data_stream.dataset == "microsoft_exchange_online_message_trace.log"
 80    and email.from.address == "azure-noreply@microsoft.com"
 81    and event.outcome in ("success", "unknown")
 82    and email.subject like "*Azure Monitor alert*"
 83    and (
 84        email.subject like "*INV-*"
 85        or email.subject like "*invoice*"
 86        or email.subject like "*payment*"
 87        or email.subject like "*order-*"
 88        or email.subject like "*purchase*"
 89        or email.subject like "*funds*"
 90        or email.subject like "*receipt*"
 91        or email.subject like "*billing*"
 92        or email.subject like "*transaction*"
 93        or email.subject like "*refund*"
 94        or email.subject like "*charge*"
 95        or email.subject like "*subscription*"
 96        or email.subject like "*renewal*"
 97        or email.subject like "*overdue*"
 98        or email.subject like "*past due*"
 99        or email.subject like "*amount due*"
100        or email.subject like "*wire transfer*"
101        or email.subject like "*bank account*"
102        or email.subject like "*credit card*"
103        or email.subject like "*financial*"
104        or email.subject like "*remittance*"
105    )
106
107| keep *
108'''
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1566"
115name = "Phishing"
116reference = "https://attack.mitre.org/techniques/T1566/"
117[[rule.threat.technique.subtechnique]]
118id = "T1566.003"
119name = "Spearphishing via Service"
120reference = "https://attack.mitre.org/techniques/T1566/003/"
121
122
123
124[rule.threat.tactic]
125id = "TA0001"
126name = "Initial Access"
127reference = "https://attack.mitre.org/tactics/TA0001/"