This ES rule detects callback phishing emails delivered via Azure Monitor alerts by leveraging Microsoft 365 Exchange Online Message Trace data. Attackers abuse Azure Monitor alert rules to send phishing notifications from the legitimate azure-noreply@microsoft.com address. The lure is embedded in the alert’s description, and victims are included in an action group so that a notification email is delivered when the alert fires. Because the sender is a Microsoft-owned address, SPF, DKIM, and DMARC checks pass, increasing trust and bypassing basic email defenses. The detection looks for messages from azure-noreply@microsoft.com with the subject containing Azure Monitor alert and at least one financial/billing cue in the subject (e.g., invoice, payment, order, billing, receipt, etc.). The rule correlates with recipient analysis and the typical phishing campaign pattern of “Fired” and “Resolved” notifications, and may flag an earlier “You’re now in the X action group” message indicating external subscription involvement. MITRE ATT&CK mapping is T1566.003 (Spearphishing via Service) under Initial Access. The rule supports incident triage by examining email subjects, recipients, and headers for the originating Azure subscription, and searching for multiple related messages within a short window. False positives include legitimate Azure Monitor alerts that use financial terms in their naming; exceptions should be documented for known internal subscriptions. Remediation steps include blocking the sender/subject pattern at the gateway, quarantining affected mailboxes, resetting compromised credentials if the lure succeeded, and reporting the subscription/headers to Microsoft abuse; consider mail-flow rules to flag Azure Monitor emails containing phone numbers or financial language in the body.