If your business runs on Microsoft (whether that means Windows, Microsoft 365, or something heftier like Azure), there’s a new scam you need to know about.
This one pops up like it’s a real alert from something called Microsoft Azure Monitor, and it looks pretty convincing.
Whether you use Azure or not, the alert looks and feels real. And it’s slipping through many email security tools and landing right in your inbox. So it’s catching many people off guard.
Here’s everything to know about this latest threat.
What Is Azure Monitor?
Azure Monitor allows businesses to keep track of various systems and services across Microsoft’s business cloud platform (Azure) and hybrid environments. It gives business and IT leaders an at-a-glance interface where they can see logs and metrics from whatever Microsoft products they’re using.
Most of the time, we’re talking things like OpenTelemetry and Prometheus metrics that measure virtual machine performance and Kubernetes clusters. Lately, AI agent monitoring and agentic workflows have started showing up, too.
…Yeah, that was a mouthful. Most local small businesses don’t do much with these at this level on their own. If you have your own IT department or a significant IT services agreement, you might.
But all of this is a little bit beside the point because whether you use Azure or Azure Monitor or not, a very official-looking warning from Microsoft is enough to get most business leaders’ attention.
How the Scam Is Structured
When working properly (AKA the non-scam version), Azure Monitor essentially gives you a warning when behind-the-scenes systems and processes have a problem that needs attention.
So that’s exactly how the scam starts, too. You get a notification via email warning you about an issue of some sort. It could be a billing issue, a problem with your account, “suspicious activity,” or something gone awry with a vaguely-named Azure process.
If you’ve read any of our previous posts on phishing schemes, you can probably guess the next part.
The notification looks legit, but it isn’t. When you take whatever action it urges you to take, you’re giving up information to scammers. Stuff like account credentials or even billing details.
Why This Scam Is Getting Through (and Working)
Microsoft has gotten pretty great at detecting and blocking phishing emails. So have third-party business email security tools.
So why is this scam working at all?
Because the scammers aren’t using the usual tactics. Here’s what one version of the new attack looks like.
Instead of setting up a domain that looks like Azure Monitor, they’ve found a way to send their message through Azure Monitor itself. Since the notification is technically coming from Microsoft’s own system, many current safety tools can’t distinguish between these fraudulent emails and the real thing.
This is possible because Azure Monitor supports trigger-based alerts. These are supposed to allow for things like sending an alert or message whenever a new invoice is generated.
It’s possible to customize these messages, and that’s what’s happening. If the attackers gain access to the account of whoever set up the alerts (or a user with the right permissions), they can change the message, injecting a link or phone number that routes to a phishing scam.
Then, when that event triggers, Azure Monitor itself sends a message just like it was programmed to do. Only now it’s sending the fraudulent message, not the original helpful one.
Protect Yourself By Slowing Down
Like with other phishing schemes, the biggest tell is fake urgency. If a notification is pushing you to take an action as quickly as possible, and it’s an action you don’t normally take, pause and look closely.
Instead of calling or clicking the link, close the notification and manually navigate to your Microsoft account. If the issue is as urgent as they say, you’ll get notified when you log in or on one of the first dashboards you see.
If you don’t see anything, then congratulations: you just successfully avoided getting phished.
That’s it for this week. Let us know if we can help — contact us anytime.