M365 Azure Monitor Alert Email with Financial or Billing Theme

Last updated 4 days ago on 2026-03-23

Created 4 days ago on 2026-03-23

About

Detects Azure Monitor alert notification emails with financial or billing themed subject lines delivered to organization users. Adversaries abuse Azure Monitor alert rules to deliver callback phishing emails from Microsoft's legitimate azure-noreply@microsoft.com address. Because the emails originate from Microsoft's own infrastructure, they pass SPF, DKIM, and DMARC checks, bypassing email security filters and increasing victim trust. The attacker embeds a fraudulent billing or security lure in the alert rule description, which is rendered in the notification email body. Observed subject patterns include invoice numbers, payment references, and order confirmations.

Tags

Domain: CloudDomain: EmailData Source: Microsoft 365Data Source: Microsoft Exchange Online Message TraceUse Case: Threat DetectionTactic: Initial AccessLanguage: esql

Severity

low

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Phishing (T1566)(external, opens in a new tab or window)

False Positive Examples

Organizations that use Azure Monitor alert rules with financial or billing related naming conventions for legitimate infrastructure monitoring may trigger this rule. Review the email subject and recipient to determine if the alert originates from a known internal Azure subscription.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: microsoft_exchange_online_message_trace(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗from logs-microsoft_exchange_online_message_trace.* metadata _id, _version, _index

// Filter for Azure Monitor notification emails with financial/billing themed subjects
| where event.dataset == "microsoft_exchange_online_message_trace.log"
    and email.from.address == "azure-noreply@microsoft.com"
    and event.outcome in ("success", "unknown")
    and email.subject like "*Azure Monitor alert*"
    and (
        email.subject like "*INV-*"
        or email.subject like "*invoice*"
        or email.subject like "*payment*"
        or email.subject like "*order-*"
        or email.subject like "*purchase*"
        or email.subject like "*funds*"
        or email.subject like "*receipt*"
        or email.subject like "*billing*"
        or email.subject like "*transaction*"
        or email.subject like "*refund*"
        or email.subject like "*charge*"
        or email.subject like "*subscription*"
        or email.subject like "*renewal*"
        or email.subject like "*overdue*"
        or email.subject like "*past due*"
        or email.subject like "*amount due*"
        or email.subject like "*wire transfer*"
        or email.subject like "*bank account*"
        or email.subject like "*credit card*"
        or email.subject like "*financial*"
        or email.subject like "*remittance*"
    )

| keep *

Install detection rules in Elastic Security

Detect M365 Azure Monitor Alert Email with Financial or Billing Theme in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).