When Your Management Plane Becomes the Attack Surface: Preventing Privileged Account Takeover and Destructive Abuse of Microsoft Intune

A compromised admin account is all it takes to turn Microsoft Intune into a destructive weapon. This CoreView Threat Advisory article explains how a real-world wipe attack unfolded, and looks at how CoreView helps organizations harden tenant governance before adversaries turn legitimate tools into weapons.

In this article

• Incident Analysis: Anatomy of a Privileged Account Takeover
• Root Cause: Tenant Governance Failures the Adversary Exploited
• How CoreView Prevents Privileged Account Takeover from Becoming a Destructive Event
• The Broader Threat Landscape: Why This Will Happen Again

Executive Summary

In March 2026, an Iran-linked threat group assessed by Palo Alto Networks Unit 42 as affiliated with Iran’s Ministry of Intelligence and Security (MOIS) executed a destructive operation against a Fortune 500 medical technology manufacturer. The attackers compromised a privileged Microsoft 365 administrator account, created a new Global Administrator identity, and weaponized Microsoft Intune’s built-in Remote Wipe capability to issue factory-reset commands against enrolled endpoints globally.

The result: tens of thousands of Windows workstations and mobile devices including personal devices enrolled through the organization’s BYOD program were erased simultaneously. No ransomware was deployed. No custom malware was required. Order processing, manufacturing, and shipping operations were disrupted across 79 countries, with downstream impacts reported at hospitals dependent on the company’s surgical equipment and supply chains.

This incident is a textbook example of a privileged account takeover combined with Living-off-the-Land (LOTL) techniques at the cloud management plane. The adversary did not need to develop novel tooling; they leveraged the organization’s own trusted administrative infrastructure to achieve destructive effect. In the days following the attack, CISA, in coordination with the FBI and Microsoft, issued formal hardening guidance urging all U.S. organizations to strengthen their endpoint management configurations immediately.

CoreView exists to close the governance gaps that made this attack possible. This advisory details the attack’s mechanics, identifies the specific control failures the adversary exploited, and explains how CoreView’s continuous governance and visibility capabilities help organizations prevent privileged account takeover from escalating to tenant-wide destruction.

Incident Analysis: Anatomy of a Privileged Account Takeover

Attack Classification

Security researchers and incident responders classify this class of operation using the following terminology:

Attack Sequence

Based on public reporting from multiple security researchers and news outlets, the attack followed this progression:

• Initial Access: The adversary compromised an administrator account with Intune management privileges. The exact initial access vector remains under investigation; researchers assess the most likely methods include adversary-in-the-middle (AiTM) phishing, credential theft via infostealer malware, or exploitation of supply-chain access to IT service providers. ‍
• Privilege Escalation and Persistence: After gaining access to the compromised admin account, the attacker created a new Global Administrator account within Microsoft Entra ID (formerly Azure AD), establishing persistent, unrestricted administrative control over the tenant. ‍
• Pre-Positioning: Evidence suggests the attackers maintained access and conducted reconnaissance before executing the destructive phase. Threat actor branding appeared on device screens prior to the wipe—, confirming the adversary had established control before triggering destruction. ‍
• Execution (Destructive Phase): In the early morning hours UTC, the attacker used Intune’s built-in Remote Wipe functionality to issue factory-reset commands to all enrolled endpoints simultaneously. Every command was, from the platform’s perspective, a legitimate administrative action. The destructive phase executedwas executed over a period of approximately three hours. ‍
• Impact: Enrolled Windows laptops, mobile devices, and personal BYOD phones were erased. Employees lost not only corporate datadata, but personal content, authenticator apps, and eSIM configurations. Electronic ordering systems for the attacked organization’s medical devices went offline, forcing manual order placement and disrupting hospital supply chains worldwide.

Why Traditional Security Tools Failed

This attack is significant precisely because it generated no traditional indicators of compromise:

• No Malware Deployed: The affected organization confirmed no ransomware or malware was present. Endpoint detection and response (EDR) tools had no malicious payload to identify. ‍
• Legitimate APIs, Legitimate Commands: The wipe instructions traversed Intune’s standard management channel. From the perspective of enrolled devices, a trusted cloud service (Intune) was communicating with trusted agents (managed endpoints) using authenticated, authorized commands. ‍
• Authenticated Administrative Session: The adversary operated under a valid Global Administrator identity. Signature-based detection, allowlisting, and behavioral baselines for endpoint activity would not have flagged these operations.

As one industry analyst noted,: this was not an inherent weakness in Microsoft Intune—, it was an exploitation of the trust model that organizations place in their management plane, executed through classic living-off-the-land methodology.

Root Cause: Tenant Governance Failures the Adversary Exploited

This incident was not caused by a software vulnerability. It was caused by the convergence of multiple governance and configuration gaps that gave a single compromised credential the ability to execute tenant-wide destruction. These gaps are common across enterprises and represent the primary attack surface CoreView is designed to address.

1. Standing Privileged Access Without Just-in-Time Controls

Accounts with Global Administrator, Intune Administrator, and other high-impact roles held permanent (standing) privileges rather than being governed through Privileged Identity Management (PIM) with time-limited, approval-gated elevation. This meant a single compromised credential immediately granted the adversary full administrative capability, no additional approval or escalation step was required.

2. Absence of Phishing-Resistant Multi-Factor Authentication for Privileged Roles

Privileged accounts were not protected by phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. Standard MFA methods (SMS, push notifications, TOTP (time-based one-time passwords) are susceptible to AiTM (Adversary-in-the-Middle) phishing proxies and real-time session hijacking, a technique Iran-affiliated threat actors are known to employ.

3. No Multi-Admin Approval for Destructive Actions

Microsoft Intune supports Multi-Admin Approval (MAA), which requires a second administrator to approve high-impact operations before execution. If MAA had been enabled for remote wipe commands, the attacker would have needed to compromise two separate administrative accounts and coordinate real-time approval. This would have presented a significantly higher operational bar.

4. Endpoint Management Plane Not Treated as Tier 0 Infrastructure

The Intune administrative surface was not governed with the same rigor applied to domain controllers, PKI infrastructure, or identity providers. Yet its blast radius, the ability to simultaneously wipe, reconfigure, or deploy software to every enrolled endpoint, is at least as large. CISA’s subsequent advisory explicitly calls on organizations to treat endpoint management platforms as critical infrastructure.

5. Insufficient Monitoring of High-Impact Administrative Actions

Bulk wipe commands, new Global Administrator account creation, and mass policy modifications were not subject to real-time detection, alerting, or automated response. Real-time detection would have surfaced the activity earlier, potentially in time to interrupt it.

How CoreView Prevents Privileged Account Takeover from Becoming a Destructive Event

CoreView provides the continuous governance, visibility, and enforcement layer that sits between your Microsoft 365 tenant configuration and an adversary’s ability to exploit it. The controls below directly address every governance failure identified in this incident.

1. Expose and Right-Size Privileged Access Across the Tenant

This attack succeeded because a single compromised credential landed on an account with unrestricted administrative authority. CoreView gives security teams a complete, actionable inventory of every privileged identity across Microsoft 365 and Intune. This means you can eliminate standing over-privilege before an adversary can exploit it.

With CoreView, you can:

• Enumerate every account with the ability to issue Intune remote wipe commands, modify device compliance policies, or alter Conditional Access rules across all tenants and business units.
• Identify where standing admin rights persist on Global Administrator, Intune Administrator, Help Desk Operator, and other high-impact roles that should be governed through PIM.
• Flag privileged accounts that are not enrolled in PIM, lack phishing-resistant MFA, or are exempt from Conditional Access policies.
• Enforce least privilege and role separation systematically, reducing the probability that a compromised credential provides immediate destructive capability.

2. Verify That PIM and Phishing-Resistant MFA Are Continuously Enforced

Many organizations have PIM and strong MFA configured in policy but cannot verify consistent enforcement across every privileged role, every tenant, and every business unit. CoreView closes the gap between policy intent and operational reality.

CoreView enables you to:

• Audit exactly which admin roles are governed by PIM and which are operating with standing exceptions.
• Identify privileged accounts,  admin roles, and high-impact identities that should be evaluated for phishing-resistant MFA coverage (FIDO2, Windows Hello for Business, certificate-based authentication).
• Baseline and track changes to Conditional Access policies over time, so deviations from your intended configuration don’t go undetected.
• Track remediation progress over time and provide evidence of continuous enforcement to auditors, boards, and regulators.

3. Continuously Monitor High-Impact Administrative Actions

In this incident, destructive Intune commands were executed as if they were routine IT operations for approximately three hours. CoreView makes those actions visible, urgent, and actionable.

CoreView provides:

• Tracking of remote wipe commands, bulk device actions, and mass policy deployments.
• Monitoring of changes to Intune configuration profiles, application deployments, compliance policies, and scripts with a historical record of what changed and when.
• Detection of high-risk modifications in Entra ID, including new Global Administrator account creation, Conditional Access policy changes, and privileged role assignments, that could signal an adversary pre-positioning for destructive action.
• Automated alerts and workflow trigger when high-risk administrative activity occurs, enabling your security operations team to intervene before the blast radius expands.

4. Detect and Reduce Configuration Risk Across the Tenant

This incident was catastrophic because multiple misconfigurations and governance gaps aligned simultaneously. CoreView helps you identify and remediate these structural weaknesses before an adversary chains them together into an attack path.

CoreView surfaces:

• Over-privileged accounts and misaligned role assignments that expand the blast radius of a compromised credential.
• Inconsistent or missing PIM, MFA, and Conditional Access enforcement across business units, tenants, and geographies.
• Risky or nonstandard Intune and Microsoft 365 configurations that deviate from CISA hardening guidance, Microsoft’s best practices, and your own security baselines.
• Configuration drift over time—, so governance does not erode silently between audits.

5. Demonstrate That Your Tenant Is Governed Like Critical Infrastructure

In the wake of this incident, CISA explicitly urged organizations to treat endpoint management platforms as critical infrastructure. Boards, auditors, regulators, and cyber insurers increasingly expect evidence that Microsoft 365 and Intune are subject to the same governance rigor as domain controllers and identity providers.

CoreView helps you:

• Demonstrate who can do what, where, and under what conditions across your entire Microsoft 365 estate.
• Provide auditable evidence that destructive capabilities (remote wipe, mass deployment, RBAC modification) are governed by least privilege, PIM, and multi-admin approval.
• Document continuous monitoring and governance of the administrative layer, not just point-in-time audit snapshots.

Alignment with CISA and Microsoft Hardening Guidance

In March 2026, CISA issued formal guidance urging all U.S. organizations to harden their endpoint management system configurations. The advisory was developed in coordination with the FBI, Microsoft, and the affected organization. CoreView’s capabilities map directly to CISA’s three core recommendations:

The Broader Threat Landscape: Why This Will Happen Again

This incident is not an isolated event. It reflects an escalating pattern in which state-sponsored and hacktivist threat actors deliberately target cloud management planes as force multipliers for destructive operations:

• Palo Alto Networks Unit 42 has warned of an increased tempo of wiper attacks and data destruction operations linked to Iran-affiliated threat groups, including campaigns targeting IT service providers as a supply-chain entry point to reach downstream victims.
• CISA’s advisory explicitly states the agency is “aware of malicious cyber activity targeting endpoint management systems of U.S. organizations,” signaling that this is not a single-victim problem.
• Microsoft has accelerated rollout of Multi-Admin Approval controls and mandatory MFA for administrative sign-ins to Azure Portal, Entra Admin Center, and Intune Admin Center. This reflects recognition that management plane abuse is now a primary adversary technique.
• CrowdStrike’s threat intelligence reports that over 60% of detected intrusions now leverage living-off-the-land techniques, with cloud management tool abuse representing a growing segment of that activity.

Any organization managing endpoints through Microsoft Intune or any cloud-based endpoint management platform should assume that this attack model will be attempted against them. The question is whether your governance posture will stop a compromised credential from becoming a tenant-wide catastrophe.

What This Means for Your Organization

You cannot remove powerful administrative capabilities from Microsoft 365 and Intune, they exist because organizations need them. What you can control is who can exercise those capabilities, under what conditions, and how quickly you will know when they are misused.

This incident demonstrates what happens when those controls are absent. A single compromised credential, combined with standing administrative privilege and insufficient monitoring, gave an adversary the ability to wipe tens of thousands of devices across a global enterprise using nothing more than the organization’s own management tools.

CoreView makes the decisions that prevent this outcome visible, enforceable, and auditable. So a privileged account takeover stays a detection event, not a global operational disruption.