Sophisticated Azure billing phishing email going around
Posted by DarkAlman@reddit | sysadmin | View on Reddit | 22 comments
There's a fairly sophisticated Azure billing phishing email making the rounds.
I got this in my personal email (that doesn't have a 365 tenant associated with it).
The source email and IP is from Microsoft, and even some of the links appear to be legit, but the phone number listed is a scam call center.
https://i.imgur.com/Crwx4WG.png
Bunch of people chatting about it on the Microsoft forums atm.
https://learn.microsoft.com/en-us/answers/questions/5791488/your-azure-monitor-alert-was-triggered-azure-monit
avenabless@reddit
I’ve been receiving emails the past week from apimgmt-noreply @ mail.windowsazure.com about subscriptions from BTC, Norton and McAfee. Anyone else having the same issue? Not sure if it’s scam but they never address me by name.
_wlau_@reddit
Microsoft is asleep at the wheel again! These emails comes from azure-noreply@microsoft.com. None of the Microsoft's own email services, Office 365 or Live (free consumer), can block this email address even though it's on their blocked email list.
Microsoft needs to stop wasting time on CoPilot that no body wants and fix these infrastructure issues.
Severe-Priority-5039@reddit
Mine told me they were charging ~450$ for Microsoft defender.... from the same azure-noreply listed.... i ignored it for the most part simply because i dont trust Microsoft anyway and treat Microsoft as a hostile company. In par to that, i dont communicate directly with them
Artistic-Lychee-6629@reddit
I think I just received the same email. I was brought to this page after googling to see if it was a scam
codeasm@reddit
Never used Azure, glad i found this thread. Thanks all, to the bin with it. also, Thanks Microsoft
whiskeychainsaw@reddit
Hey all, I'm not a sysadmin by a long shot, I'm an Epic trainer (EHR software) and got an email in my personal email from "azure-noreply@microsoft.com" azure-noreply@microsoft.com so googled it and found this thread.
I recently had my personal 365 home renew, the Azure emails started coming to my gmail, without the (generally shitty) spam filter catching it. I marked them as junk, and just cleared my junk folder, I saw about 15 of them over the past week or so.
Figured I'd mention it in case it assists you all in your endeavors or simply lets you know laymen are getting them too.
Have a great day!
Tikky_Tac@reddit
I just got two of these (3/6/2026). The preview said something about invoices and my recent "order." It's scary how legit they appeared upon cursory examination. Thanks for posting this, DarkAlman.
Angrymilks@reddit
I’ve been getting a bunch from Microsoft Fabric lately.
bjc1960@reddit
explain more please
Angrymilks@reddit
Emails are originating directly from Microsoft Fabric, link leads to PowerBI
bjc1960@reddit
Thx We have been getting new emails about our capacity at 100% and capacity metrics failing. We assumed those were legit, as accounting added new stuff. The one you posted is not what we got. Thank you for taking the time on a Sunday to reply to me so quickly.
applevinegar@reddit
Can we see the headers ?
DarkAlman@reddit (OP)
Received: from outlook.office365.com (2603:10b6:5:22f::11) by DM6PR06MB6537.namprd06.prod.outlook.com with HTTP via BLAPR03CA0137.NAMPRD03.PROD.OUTLOOK.COM; Fri, 27 Feb 2026 16:58:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; c=relaxed/relaxed; i=azure-noreply@microsoft.com; t=1772211516; h=from:subject:date:message-id:to:mime-version:content-type; bh=NGYBtumwqxJPSkMxPiHqqL8809LMYIjjG62x4sb/QXw=; b=gftl6RLj6KBJuWzdDTByVEjseUi0b87pYwyt74EPepIEUL2/uBSOhhRHdFkrHYYgxLyqR8N2Ig2 1a4bGKm8QObRyrabGIrzVrHWD1pEMlrpF9Z07zR0Lx4sPdsynYH8edxDQMOHpKAhEnSbXAQ3htCRT lrDlhsV32uJhLfOuWJs= From: Microsoft Azure azure-noreply@microsoft.com Date: Fri, 27 Feb 2026 16:58:36 +0000 Subject: Azure: Activated Severity: 2 invoice-00451823 Message-Id: 951f1b47-fba5-40cb-a8b0-94d8f46de815@az.westcentralus.microsoft.com
Return-Path: azure-noreply@microsoft.com
Received: from CH0PR03CA0421.namprd03.prod.outlook.com (2603:10b6:610:10e::26) by SA1PR01MB8590.prod.exchangelabs.com (2603:10b6:806:387::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9654.16; Fri, 27 Feb 2026 16:58:39 +0000 Received: from CH3PEPF0000000E.namprd04.prod.outlook.com (2603:10b6:610:10e:cafe::d3) by CH0PR03CA0421.outlook.office365.com (2603:10b6:610:10e::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.27 via Frontend Transport; Fri, 27 Feb 2026 16:58:40 +0000 Authentication-Results: spf=pass (sender IP is 52.101.85.100) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 52.101.85.100 as permitted sender) receiver=protection.outlook.com; client-ip=52.101.85.100; helo=BYAPR05CU005.outbound.protection.outlook.com; pr=C Received: from BYAPR05CU005.outbound.protection.outlook.com (52.101.85.100) by CH3PEPF0000000E.mail.protection.outlook.com (10.167.244.42) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9654.16 via Frontend Transport; Fri, 27 Feb 2026 16:58:39 +0000
applevinegar@reddit
So 100% legit - they must have found a way to send customized messages through the admin interface. Again.
Thank you for sharing.
buttleake@reddit
It honestly looks like someone set up a free Azure Monitor alert, customized the description to have the Phish text, and then set the user as the recipient.
Very common tactic, but I don't often see Azure Monitor being leveraged
unstopablex15@reddit
that's exactly what happened. good eye!
---root--@reddit
Yeah, the fact that the text is under the alert rule description section kind of gives it away. Still decent attempt.
DarkAlman@reddit (OP)
San Francisco, United States Owner Details IP Address 52.101.85.100 Fwd/Rev DNS Match Yes Hostname mail-westusazon11020100.outbound.protection.outlook.com Domain outlook.com Network Owner microsoft corp
unstopablex15@reddit
Clever. Only fools would fall for this though.
huskerman007@reddit
I got this one yesterday on my personal account that I have a test azure tenant on.
Only_Helicopter_8127@reddit
These vendor impersonation attacks are getting nastier. I've seen abnormal AI's behavioral analysis catches these by detecting anomalies in sender patterns and content context, even when SPF/DKIM pass. The phone number swap is classic, they know most people won't verify every detail.
NoOrdinaryRabbit@reddit
Microsoft never apologizes.