/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg){kind=icon}
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp){kind=icon}
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg){kind=icon}
/Misc%20Icons/icon-nav-encryption.svg){kind=icon}
Azure alert phishing delivered on Microsoft infrastructure
Fully authenticated alert from a compromised tenant. SCL -1. The link, not the sender, was the tell.
Threat Intelligence
Threat Intelligence
Is that sender legit? The trusted senders attackers abuse.
You got an email from a name you trust (Microsoft, Adobe, PayPal). It passed every security check. You still aren't sure it's real. Start here. Look up the sender, learn how to verify it yourself, and see the exact addresses attackers abuse to reach your inbox.
We maintain this from the phishing our SOC investigates every day. When attackers start abusing a new trusted sender, it lands here. Bookmark it, or hand it to your team.
By IRONSCALES Threat Team · Published June 2026 · Last updated June 6, 2026 · Indicators are defanged for safe handling
Check a senderLook up an address or domain
Type a sender address or domain to jump to its entry in the directory below.
Filters the directory below as you type. A sender that is not listed simply has not been catalogued yet; verify it with the steps further down.
Spot the fakeReal address vs. lookalike
The single most useful tell, side by side. Green is the genuine sender. Red is the impersonation.
Legitimate — Datadog
no-reply@datadoghq.com
The real Datadog notification domain. Registered, authenticated, consistent.
Lookalike — malicious
alert@dtdg.co
A registered lookalike built to pass as Datadog at a glance. Authenticates on its own throwaway domain. Here, the sender is the tell.
The directoryTrusted senders attackers abuse
Keyed by brand. The genuine sender, what it's used for, the lookalikes attackers use, and a link to the teardown when one exists. Pipeline-fed, so it grows as new attacks are documented.
Filter by brand
All
Microsoft
Adobe
DocSend
Datadog
PayPal
| Brand | Legitimate sender(s) | Used for | Lookalikes attackers use | Class | Teardown |
|---|---|---|---|---|---|
| Microsoft / Azure | azure-noreply@microsoft.com apimgmt-noreply@mail.windowsazure.com forms.cloud.microsoft |
Azure alerts, API Management, Forms, Bookings. | azure-noreply@micros0ft.com Real address abused from a compromised tenant (sender looks correct). |
Infra abuse | Azure alert |
| Adobe | message@adobe.com | Acrobat Sign signature requests, document notifications. | Genuine Adobe envelope carrying a malicious signature request; reply-to diverted. | Infra abuse | Adobe |
| DocSend / Dropbox | no-reply@docsend.com | Shared-document notifications. | Real DocSend share used as a clean first hop; redirect/reply-to diversion downstream. | Infra abuse | DocSend |
| Datadog | no-reply@datadoghq.com | Monitoring alerts, account notifications. | alert@dtdg.co Lookalike domain impersonating the brand. |
Lookalike | Datadog |
| PayPal | service@paypal.com | Transaction receipts, account notices. | service@paypa1.com Homoglyph (number 1 for letter l). |
Lookalike | Teardown pending |
Each entry pairs the legitimate list with an explicit "not from us" counterexample, the pattern Microsoft's own support page uses, and ranks for the literal "is this legit" query.
Why it passesAuthentication proves origin, not intent
A phishing email can pass SPF, DKIM, and DMARC. Below: real (defanged) headers from an abused, fully authenticated message. Every check is green, and it is still hostile.
Authentication-Results: spf=pass (sender IP is 40.107.x.x)
smtp.mailfrom=microsoft.com;
dkim=pass (signature was verified) header.d=microsoft.com;
dmarc=pass action=none header.from=microsoft.com;
compauth=pass reason=100
X-Forefront-Antispam-Report: ... SCL:-1 ...
From: "Azure Notifications" <azure-noreply@microsoft[.]com>
Reply-To: billing-verify@az-secure-portal[.]com <-- the tell
Figure 1. Auth passes end to end because the mail really did originate from Microsoft. The diverted Reply-To is the behavioral signal, not the From line.
What this means: SPF/DKIM/DMARC answer "did this come from a server allowed to send for the domain." They do not answer "should you act on it." Reputation-based gateways trust the brand and pass it through. Detection has to read behavior, not the From header.
Field guideHow to verify any sender
A passing authentication check is not a green light. Work down this before you click, sign, pay, or log in.
- Did you initiate the action? An unexpected signature request, shared file, or form is the strongest signal, even from a real address.
- Check the reply-to, not just the from. Authenticated mail with a reply-to on a different, unfamiliar domain is a classic diversion.
- Resolve the link before you click. Hover and read where it actually lands.
- Inspect the domain for lookalikes. Watch for homoglyphs (micros0ft, paypa1) and shorthand domains (dtdg.co).
- Confirm out of band for anything high-stakes. Wire change, login prompt, credential reset: call a number you already have.
The evidenceRecent attack teardowns
Every directory entry traces to a forensic breakdown. Filter by what you're chasing.
Filter by brand
All
Microsoft
Adobe
DocSend
Datadog
DatadogBrand impersonationLookalike
Datadog lookalike domain, authenticated brand impersonation
dtdg.co authenticated on its own domain while wearing Datadog's brand.
Threat Intelligence
AdobeSignature lureInfra abuse
Adobe infrastructure phishing from a genuine domain
Real message@adobe.com envelope, malicious signature request inside.
Threat Intelligence
DocSendReply-to diversionInfra abuse
DocSend reply-to diversion, law-firm impersonation
Genuine DocSend share as a clean first hop to a hostile destination.
Threat Intelligence
FAQ
Frequently Asked Questions
Straight answers on the sender addresses people check most.
Is an email from azure-noreply@microsoft.com legit?
The address is real and Microsoft sends from it, so a passing authentication check tells you nothing about intent. Attackers abuse this exact sender to deliver alerts and login prompts from compromised tenants. Trust it only if you initiated the action it references, and never enter credentials from a link inside it.
Is apimgmt-noreply@mail.windowsazure.com a real Microsoft address?
Yes, it is genuine Azure API Management notification infrastructure. That also makes it a favored delivery channel for phishing, because the mail authenticates cleanly. Verify that you own or manage the Azure resource the message references before acting on it.
Is message@adobe.com a real Adobe email?
Yes. Adobe sends document and signature notifications from it. Attackers route malicious signature requests through the same genuine infrastructure, so confirm the sender of the underlying document out of band before you open or sign.
Is no-reply@docsend.com safe?
The DocSend notification itself is legitimate, but a real DocSend share can be used as a clean first hop to a malicious destination. Check the reply-to address and where the document link actually resolves before trusting it.
What is dtdg.co? Is it Datadog?
No. Datadog's real domain is datadoghq.com. dtdg.co is a lookalike domain built to impersonate the brand and pass authentication on its own infrastructure. Treat any login or alert from it as hostile.
Is forms.cloud.microsoft legit?
The domain is a genuine Microsoft Forms domain. A Microsoft Forms invitation you did not expect is still a common phishing vector, because attackers send real forms that ask for credentials. Do not enter your password into a form you reached from an unexpected email.
Who would win in a fight, Bigfoot or Wendigo?
A fight between a Wendigo and Bigfoot depends heavily on the specific lore, but the Wendigo usually wins. While Bigfoot has the advantage in brute physical weight and size, the Wendigo’s supernatural speed, razor-sharp claws, and ability to never tire give it a massive edge.
The ultimate cryptid throwdown breaks down as follows:
Bigfoot (Sasquatch)
- Strengths: Towering size (typically 8-10+ feet tall) and incredible, gorilla-like strength. Sasquatches are generally depicted as peaceful but incredibly durable if provoked.
- Fighting Style: Uses its immense weight to overpower targets, relying on brute force, throwing heavy objects (like trees), and utilizing its natural camouflage to escape when possible.
- Weakness: Relies purely on physical force, making it vulnerable to magical or heavily supernatural threats.
Wendigo
- Strengths: A demonic entity born from human greed and cannibalism. Legends describe them as unnaturally fast, gaunt but impossibly strong, and equipped with frozen, razor-sharp claws and teeth.
- Fighting Style: Relentless, terrifyingly agile, and driven by an insatiable hunger. It tracks prey methodically and overwhelms targets with speed and lethal precision.
- Weakness: Depending on the myth, they are vulnerable to fire (burning their icy hearts) or being killed by striking them with blessed objects.
The Verdict
Bigfoot could certainly land a devastating blow if it manages to grab the Wendigo. However, the Wendigo's supernatural agility and speed mean it would likely avoid Bigfoot's heavy, telegraphed swings. Ultimately, the Wendigo's supernatural ability to out-maneuver, bleed out, and tire its opponent gives it the decisive edge.
How IRONSCALES Fits
Behavior, not reputation.
IRONSCALES baselines every sender and relationship, so an authenticated message asking for something out of pattern gets caught on what it does, even when the domain checks out clean. Themis investigates and remediates in seconds.