The email came from azure-noreply@microsoft[.]com. It passed SPF (Sender Policy Framework). It passed DKIM (DomainKeys Identified Mail). It passed DMARC (Domain-based Message Authentication, Reporting, and Conformance). The relay chain traced through outbound[.]protection[.]outlook[.]com, Microsoft's own email protection gateway. And buried inside this fully authenticated Azure notification was a fabricated billing alert demanding that the recipient call an unverified phone number to dispute a $459.90 charge.
This wasn't a spoofed header. It was Microsoft's own infrastructure, weaponized.
A mid-size U.S. professional services firm received what appeared to be a standard Azure monitoring alert. The subject line, "Azure: Activated Severity: 2 Your Payment Has Been Received," matched the formatting conventions that Azure uses for legitimate action group notifications.
The body was meticulously crafted. It included a transaction ID (PP456-887A-22B), a billing amount ($459.90 USD), a date, and a merchant descriptor labeled "Windows Defender." Embedded in the message were references to an Azure subscription and action group, complete with resource paths and "View in Azure portal" links pointing to portal[.]azure[.]com.
The only call to action: call +1 (812) 266-1890 or +1 (812) 266-1510 to verify the transaction immediately. Neither number appears on any official Microsoft support page.
This is callback phishing, also called TOAD (Telephone-Oriented Attack Delivery), a technique that intentionally avoids malicious links so that URL-based scanning has nothing to flag. The FBI's 2024 Internet Crime Report documented $2.7 billion in losses from phishing and BEC (Business Email Compromise) schemes, with vishing increasingly cited as a key escalation vector.
The authentication headers told a consistent story: the email was genuine Microsoft infrastructure.
40[.]93[.]14[.]106 is an authorized Microsoft outbound server)microsoft[.]com)p=reject policy, composite authentication pass)outbound[.]protection[.]outlook[.]comEvery link in the email resolved to legitimate Microsoft-owned domains: portal[.]azure[.]com, azure[.]microsoft[.]com, go[.]microsoft[.]com, and Microsoft's social media pages. Even the unsubscribe endpoint used microsofticm[.]com, a known Microsoft notification management domain.
As MITRE ATT&CK documents under Spearphishing via Service (T1566.003), attackers increasingly exploit legitimate third-party services to deliver phishing payloads because security tools inherently trust the service's infrastructure. The technique extends to Masquerading (T1036.005) when attackers format messages to match authentic notification templates.
The structural implication: email authentication protocols verify who sent the email, not whether the content is safe. When the attacker IS the trusted sender, authentication becomes a liability. It doesn't just fail to detect the threat. It actively vouches for it.
What makes this campaign particularly dangerous is what's missing. There is no malicious URL. There is no weaponized attachment. The payload is a phone number.
Callback phishing sidesteps the entire detection model that Secure Email Gateways (SEGs) rely on. According to IRONSCALES research across 1,921 organizations, SEGs miss an average of 67.5 phishing emails per 100 mailboxes per month, and campaigns without links or attachments push that number higher because there's nothing for the scanner to evaluate.
The Verizon 2025 Data Breach Investigations Report found phishing in 36% of breaches involving external actors. But the delivery mechanisms are diversifying: CISA's 2025 guidance on evolving phishing techniques highlights callback and voice-channel attacks as a growing evasion method, precisely because they exploit the gap between what automated tools scan and what users actually do: pick up the phone.
See Your Risk: Calculate how many attacks like this your SEG is missing
When the phishing email comes from inside the trusted infrastructure, static rules don't help. This campaign was caught not by authentication or URL scanning, but by behavioral signals.
Themis, the IRONSCALES Adaptive AI virtual SOC analyst, flagged the message within minutes based on three converging indicators:
azure-noreply@microsoft[.]com had sent to the organization before, this specific recipient, a senior stakeholder in the audit department, had never received mail from this address. That anomaly alone warranted scrutiny.Four affected mailboxes were quarantined before any recipient engaged with the callback numbers.
For security teams facing this category of threat, four actions matter:
| Type | Indicator | Context |
|---|---|---|
| Sender | azure-noreply@microsoft[.]com |
Authenticated Microsoft sender (abused notification infrastructure) |
| Phone | +1 (812) 266-1890 | Unverified callback number (not Microsoft support) |
| Phone | +1 (812) 266-1510 | Unverified callback number (not Microsoft support) |
| IP | 40[.]93[.]14[.]106 |
Microsoft outbound protection (legitimate infrastructure abused) |
| Azure Resource | /subscriptions/53afd058-.../actionGroups/ag-c7fc86e2d5 |
Suspicious action group used to generate fraudulent alert |
| Transaction ID | PP456-887A-22B | Fabricated billing reference |