You’ve been told for years to watch for the obvious signs. Bad grammar, a sender address that’s off by a letter, a link that doesn’t go where it claims. Train the staff to spot those and the firm is covered.
That advice is getting harder to follow, because the people running these scams have stopped making those mistakes.
Here’s one making the rounds. An email arrives saying there’s a billing problem on an account. Suspicious charges, an invoice nobody recognizes, maybe a note that the account has been suspended. It comes from a real Microsoft domain. The firm’s email security doesn’t flag it. And it’s a scam.
How a fake alert comes from a real Microsoft
The tool being abused is Azure Monitor. If your firm runs anything in Microsoft’s cloud, it’s the service that watches your systems and emails you when something needs attention. Billing events, errors, performance issues. Getting a notification from it is routine, which is the whole reason this works.
The catch is that anyone can set up an alert in Azure Monitor, and whoever sets it up also writes the message that goes out. So an attacker creates an alert tied to some easily triggered condition, types a fake billing warning into the description field, points it at a mailing list they control, and triggers it. The email that lands in the inbox is sent through Microsoft’s own system. It isn’t spoofed. It isn’t pretending to be Microsoft. It’s using Microsoft to deliver the message.
That’s the part that matters. Email filters decide what’s safe partly by checking who sent it, and a message genuinely sent from a trusted Microsoft domain clears that check without a fight. BleepingComputer, which documented the campaign, found these alerts landing straight in inboxes. TechRadar Pro reported on it in March 2026.
Think of a phone call from someone who says they’re with your bank and then reads off your real account number to prove it. The detail that’s supposed to confirm they’re legitimate is the thing the scam is built on.
Why this one is aimed at your firm, not just anyone
Look at what the email asks you to do. It doesn’t push you to click a link or enter a password, the moves your filters are tuned to catch. It tells you to call a phone number to sort out the problem. That’s a callback phishing attack, and the phone is where the damage happens. Someone picks up, sounds official, and walks the caller toward handing over account credentials, payment details, or remote access to a machine.
That request lands on a specific desk at a firm. A billing alert about charges or a suspended account is exactly the kind of thing your firm administrator or your bookkeeper is paid to handle, and handle quickly. They’re supposed to act on it. An attacker who dresses the bait up as a finance problem is aiming straight at the people whose job is to make finance problems go away.
Now consider who that person is at most firms. Often it’s the same person who touches the IOLTA trust account. Compromise the credentials or the banking access of the staffer who manages client funds, and you’ve moved from a nuisance email to the highest-stakes failure a practice can have. A wire that leaves the trust account is not a productivity problem. It’s a malpractice problem, a State Bar problem, and a very hard conversation with a client about money that was supposed to be untouchable.
The confidentiality exposure rides alongside it. The duty to protect client information, rooted in Business and Professions Code section 6068(e) and the duty of technological competence the State Bar reads into Rule 1.1, doesn’t pause because the attacker used a clever delivery method. If callback phishing gets someone into your email or your systems, the client data in there is exposed regardless of how convincing the email looked.
This is also a method we’ve seen before. The same trick ran through PayPal, and through Google’s tools, before it showed up in Azure Monitor. Take a service people already trust, use it as the delivery truck, and let the trust do the work. The platform changes. The play doesn’t.
What to do about it
The fix is a habit, not a sharper eye for typos. When an alert pushes someone to act fast, especially to call a number, the rule is to stop and verify it somewhere other than the email. Open the Azure account in a browser and check for the alert there. If a charge or a suspension is real, it shows up inside the account. If it isn’t in the portal, it isn’t real, no matter how official the email looks.
Make that the firm’s rule and be specific about it: nobody calls a number from an alert email. They go to the source and confirm first. Put it in front of the people most likely to see these messages, which means your administrator, your bookkeeper, and anyone with access to firm banking or the trust account.
This works because it doesn’t depend on anyone spotting the fake. The whole point of the attack is that the email looks real, comes from a real domain, and clears the filter. You can’t out-squint it. You can refuse to act on any alert until it’s confirmed at the source, which costs about a minute and closes the door.
So, back to the eyeball test we opened with. The warning sign used to be a clumsy email. Now the warning sign is the email that looks perfect and wants someone on your staff to call right now. If you’re not confident the people handling your firm’s money would pause on one of these, that’s the gap worth closing. We help firms put the verification habit in place and tighten how these alerts reach the inbox, and it’s far less work to do now than after a fraudulent wire or a trust account loss forces the issue.