For years, the enterprise security playbook assumed a familiar pattern: an attacker gets in, moves laterally, deploys ransomware, and demands payment. Detection tools were built around this model. Endpoint agents looked for suspicious processes. SIEMs hunted for malware signatures. Incident response teams trained for recovery after encryption. That playbook is now being rewritten.

A new class of destructive cyberattack is targeting organisations not for financial gain, but to cause maximum operational disruption. These attacks, increasingly linked to geopolitical conflict, use no malware, no ransomware, and no zero-days. Instead, they exploit something far more dangerous: legitimate administrative access to enterprise management platforms.

The result is an attack that your endpoint detection will never see coming.

‍

How It Works

Modern organisations rely on Mobile Device Management platforms — such as Microsoft Intune — to manage their entire device estate. These platforms are designed to let IT administrators push configurations, enforce compliance, and if needed, remotely wipe a device that is lost or stolen.

That last capability — remote wipe — is the weapon.

When a threat actor gains administrative access to an organisation's Intune environment, they do not need to deploy a single line of malicious code. They simply log in, select all enrolled devices, and issue a wipe command. In minutes, every enrolled laptop, phone, and tablet — across every country the organisation operates in — is factory reset.

No malware. No ransom note. Just an empty device fleet and abusiness that cannot function.

The entry point is almost always the same: a phishing attack that compromises a privileged admin credential. Once inside, the attacker moves through the identity layer — not the endpoint layer — which is precisely why traditional defences fail to catch it.

Who Is Being Targeted

Nation-state aligned threat groups have significantly escalated this tactic in recent months. Organisations with business ties to conflict regions — whether through acquisitions, partnerships, supply chains,or customer relationships — are being deliberately selected. The targeting is geopolitical, not opportunistic.

No sector is immune. We have seen this threat materialise across manufacturing, healthcare, technology, financial services, and critical infrastructure. If your organisation uses a cloud-based MDM platform and yourprivileged admin accounts are not hardened, you are carrying risk right now.

Why Your Current Defences May Not Be Enough

This is the critical point that many security teams are missing.

A wipe command issued through Intune is indistinguishable from a legitimate IT action at the endpoint level. No process is spawned on the device. No file is written. No signature is triggered. Your EDR, your antivirus, your next-generation firewall — none of them will raise an alert.

The attack lives entirely in your cloud audit logs: Entra IDsign-in events, Intune audit trails, and Azure AD activity. If you are not monitoring these in real time, you will only discover the attack when your employees start calling to say their laptops are blank.

Detection for this class of threat requires a fundamental shift: from endpoint telemetry to identity and cloud activity monitoring.

10 Security Controls We Recommend Implementing Now

Our team has compiled the following recommended controls specifically for organisations running Microsoft.

Critcal Priority

1. Enable Privileged Identity Management (PIM) for the Intune Administrator Role Remove all standing admin assignments immediately. No account should have persistent access to issue wipe commands. Implement just-in-time elevation through Entra ID PIM, requiring manager approval and a time-bound activation window of no more than four hours. This single control removes the most dangerous standing risk in most Intune environments. Where: Entra ID → Privileged Identity Management → Roles →Intune Administrator

2. Enforce Phishing-Resistant MFA for All Admin Accounts Standard MFA — including SMS and authenticator app push notifications — can be bypassed through phishing and adversary-in-the-middle attacks. All accounts with access to Intune, Entra ID, or the Azure portal must be required to use FIDO2 hardware security keys or Windows Hello for Business. Legacy authentication protocols must be blocked entirely. Where: Entra ID →Conditional Access → Authentication strength → Require FIDO2

3. Restrict Admin Portal Access to Named Locations and Compliant Devices Create a Conditional Access policy that blocks access to the Intune Admin Center and Azure portal unless the sign-in originates from a named IP range and a device that is itself enrolled and compliant in Intune. Any sign-in from outside these parameters should be hard-blocked — not stepped up — with no option to bypass. Where: Entra ID → Conditional Access → Cloud apps: Microsoft Intune Admin Center

4. Enable Multi-Admin Approval for Wipe Actions Microsoft Intune has a built-in multi-administrative approval feature that requires a second administrator to explicitly authorise destructive actions before they execute. This control means that even a fully compromised admin account cannot unilaterally wipe devices. Enable this for all wipe, retire, and factory reset operations immediately. Where: Intune → Tenant administration→ Multi Admin Approval → Create Wipe policy

5. Alert on Bulk Wipe Commands in Real Time Configurea Microsoft Sentinel analytics rule that triggers an immediate alert when three or more wipe or retire actions are initiated by a single identity within any ten-minute window. This alert must be routed directly to your on-call SOC team— not just an email inbox. Speed of detection is the only variable that limits blast radius in this attack type. Where: Microsoft Sentinel → Analytics rules → Intune Audit Logs via Diagnostic Settings

HIGH PRIORITY

6. Enable Token Protection for Admin Sessions Session token theft is a common post-phishing technique that allows attackers to bypass MFA entirely by replaying a stolen authentication token from a different device. Enabling Token Protection in Entra ID Conditional Access cryptographically binds tokens to the device on which they were issued, making stolen tokens worthless to an attacker on a different machine. Where: EntraID → Conditional Access → Session → Token protection (preview)

7. Shorten Admin Session Lifetime to One Hour Set the sign-in frequency for the Intune Admin Center and Azure portal to one hour. This limits the window an attacker has to act with a stolen or hijacked session before forced re-authentication. Combined with Token Protection, this significantly reduces the value of any credential or session material that is stolen. Where: Entra ID → Conditional Access → Session → Sign-in frequency:1 hour

8. Scope RBAC Roles — Remove Global Admin from Device Management Audit all role assignments in your Intune environment. Device management staff should hold the Intune Administrator role only — not Global Administrator. Additionally, inventory all Service Principals that hold the Device Management Managed Devices .ReadWrite. All permission and remove any that are not explicitly required. Human accounts should not have programmatic wipe capability. Where: Intune → Tenant administration → Roles → Review and audit all assignments

9. Use Selective Wipe for BYOD — Never Full Wipe as Default For personally-owned devices enrolled in Intune, configure App Protection Policies to use selective wipe — removing only corporate data —rather than full device wipe. A full wipe on a personal device removes everything, including personal photos, banking applications, and authenticator apps that employees rely on for their own two-factor authentication. This not only causes significant personal harm but can cut employees off from the very tools they need to help with incident response. Where: Intune → Apps → App protection policies → Selective wipe on BYOD

MEDIUM PRIORITY

10. Ingest Intune and Entra Audit Logs into Your SIEM Stream Intune audit logs and Entra ID sign-in logs to Microsoft Sentinel via Diagnostic Settings. Create detection rules for new Intune Administrator role assignments, PIM activations that occur outside of business hours, and Microsoft Graph API calls originating from unfamiliar service principals. This is your foundational visibility layer — without it, you are relying on Intune's native portal for detection, which provides no real-time alerting capability. Where: Entra ID → Diagnostic settings → Log Analytics Workspace → Sentinel

What To Do This Week

If you take nothing else from this advisory, act on these three things before the end of the week:

First, check whether your Intune Administrator accounts have standing access. Log into Entra ID, open Privileged Identity Management, and look at your active role assignments. If any account shows as permanently assigned to the Intune Administrator or Global Administrator role, that is your most urgent risk.

Second, verify that phishing-resistant MFA is enforced — not just available — for all accounts that can access your Intune environment. Check your Conditional Access policies and confirm that FIDO2 or Windows Hello for Business is required, not optional.

Third, enable multi-admin approval for wipe actions in Intune today. This takes less than fifteen minutes to configure and immediately removes the ability of any single compromised account to wipe your entire device estate.

‍

How Smarttech247 Can Help

If you would like to understand your current exposure or need hands-on support implementing these controls, contact our team at info@smarttech247.com or visit reach out through our form.