Techniques
Sample rules
M365 Azure Monitor Alert Email with Financial or Billing Theme
- source: elastic
- technicques:
- T1566
Description
Detects Azure Monitor alert notification emails with financial or billing themed subject lines delivered to organization users. Adversaries abuse Azure Monitor alert rules to deliver callback phishing emails from Microsoft’s legitimate azure-noreply@microsoft.com address. Because the emails originate from Microsoft’s own infrastructure, they pass SPF, DKIM, and DMARC checks, bypassing email security filters and increasing victim trust. The attacker embeds a fraudulent billing or security lure in the alert rule description, which is rendered in the notification email body. Observed subject patterns include invoice numbers, payment references, and order confirmations.
Detection logic
from logs-microsoft_exchange_online_message_trace.* metadata _id, _version, _index
// Filter for Azure Monitor notification emails with financial/billing themed subjects
| where event.dataset == "microsoft_exchange_online_message_trace.log"
and email.from.address == "azure-noreply@microsoft.com"
and event.outcome in ("success", "unknown")
and email.subject like "*Azure Monitor alert*"
and (
email.subject like "*INV-*"
or email.subject like "*invoice*"
or email.subject like "*payment*"
or email.subject like "*order-*"
or email.subject like "*purchase*"
or email.subject like "*funds*"
or email.subject like "*receipt*"
or email.subject like "*billing*"
or email.subject like "*transaction*"
or email.subject like "*refund*"
or email.subject like "*charge*"
or email.subject like "*subscription*"
or email.subject like "*renewal*"
or email.subject like "*overdue*"
or email.subject like "*past due*"
or email.subject like "*amount due*"
or email.subject like "*wire transfer*"
or email.subject like "*bank account*"
or email.subject like "*credit card*"
or email.subject like "*financial*"
or email.subject like "*remittance*"
)
| keep *