azrte-TheToddLuci0

src/SUMMARY.md

@@ -463,6 +463,7 @@
     - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md)
     - [Az - Storage Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md)
     - [Az - VMs Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md)
+    - [Az - Monitor Alert Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-monitor-alert-phishing.md)
     - [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
     - [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
   - [Az - Services](pentesting-cloud/azure-security/az-services/README.md)

src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-monitor-alert-phishing.md

@@ -0,0 +1,62 @@
+# Az - Monitor Alert Phishing
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Monitor Alert Phishing
+
+It is currently[^disclosure] possible to bypass the Azure Monitoring Action Group notification that a user has been added to a monitoring group, allowing an attacker to send emails to arbitrary addresses with partially custom monitoring messages and titles from `azure-monitor@microsoft.com`, complete with full DMARC validation.
+
+[^disclosure]: This was reported to Microsoft on 3/17/2026. They may or may not have resolved it by the time you read this.
+
+To perform this attack, you need an Azure subscription and a list of targets.
+
+### Setup
+#### Entra ID
+For each user you want to target, create an Entra ID user in your tenant. You can leave all the settings default and use anything as the username.
+The only setting that matters is the `Email` property under `Contact Information`. Set this to the actual target email address.
+
+Once you've created your user(s), assign them `Monitoring Reader` on the ***SUBSCRIPTION***.
+
+Now, wait 24 hours for the permissions to propagate[^slow]. In practice, it seems to only take a couple hours, but Microsoft gonna Microsoft.
+
+[^slow]: [Yes, it is actually that slow](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager)
+
+#### Azure Monitor Action Group
+The `Name` and `Display Name` will be visible to the victim, so choose something appropriate. 
+If you know the name of an Action Group that the victim is subscribed to, that may be a good choice.
+
+Set the notification type to `Email Azure Resource Manager`, and the target to `Monitoring Reader`. Don't enable the `Common Alert Schema`. 
+While the attack will still "work" if you do, the customizable fields are hidden deeper in, and more context is included in the front of the email, potentially making it a bit less convincing.
+
+
+#### Azure Monitor Alert Rule
+This is where the most important customization happens!
+
+The name will be included in the subject of the emails, and near the top of the email. This is another place that cloning an existing alert may be useful.
+The description will be where you want to put your "payload". It's not possible to change the formatting around this, but you can fully customize the content, for example with an [OAuth App Phish](./az-oauth-apps-phishing.md) link.
+<!-- At the moment, I'm not sure if it's possible to stuff a hyperlink in there. Further research needed. -->
+
+Finally, set the trigger condition to something that you can control when it will trigger. An example might be `ServiceApiHit` scoped to a specific resource.
+
+If you're still waiting for the Entra Role assignments to propagate, consider disabling the rule until your ready to avoid emails going out multiple times if the rule is accidentally triggered.
+
+### Execution
+
+Simply trigger whatever metric you used. If you used `ServiceApiHit` with a keyvault resource and a threshold of "greater than zero", you could use
+`az keyvault show --name $VAULT` to cause the alert to trigger.
+
+Depending on how you configured your Alert Rule, you may want to disable the Action Group while the Alert Rule is still in an Alert state to avoid a second email being sent when the alert is "Resolved".
+
+<figure><img src="../../../images/azure_alert_phishing.png"><figcaption>An in-the-wild example of an attacker exploiting this.</figcaption></figure>
+<!-- Be smarter than these guys -->
+
+
+### OPSEC Considerations
+It's not possible to hide certain identifying information with this attack. 
+Notably, this includes your subscription ID, which can be reversed into your tenant ID, tenant domains, ect.
+If you're using your own Azure account for this, make sure it's one your OK with being flagged if Microsoft catches on.
+
+## References
+- [https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager)
+
+{{#include ../../../banners/hacktricks-training.md}}