When remote wipe becomes a weapon: stopping Intune mass destruction

Remote wipe exists to protect lost or reprovisioned devices. An attacker with Intune administrative rights can turn that same capability into endpoint sabotage at the scale of your whole fleet.

How the attack works

The actor holds Intune device-action rights and issues a flurry of remote wipe and retire commands against hundreds of enrolled devices in a short window. As targeted devices check in, they execute the factory reset and go offline. The goal is not theft, it is destruction: wiped laptops disrupt the business and erase local work. The tell is the pattern, not any single command. One admin identity issues hundreds of wipes off-hours with no change ticket against devices in active use. This is Data Destruction, T1485, carried out through Valid Accounts, T1078.

Why it works

Wipe and retire are normal device actions, so each command looks legitimate in isolation. There is no approval gate on bulk actions, so one privileged identity can fire destruction faster than a human can respond, and a 2 a.m. burst slips past anyone watching for routine activity.

How to fix it

Treat an in-progress mass wipe as an active fire, not a ticket. Revoke the actor’s device-action rights immediately and require approval for any further bulk device actions, which stops the queued and future wipes at the source. Do not waste time asking the admin or telling users to power off. Recovery is the hard part, because a wipe has no undo: reprovision endpoints through Windows Autopilot and restore user data from backup. Recovery quality is set by your backup and Autopilot readiness before the incident, so build that coverage now.

Practice it

We built this as a GraphLattice Range scenario so responders can rehearse spotting the destruction pattern, cutting the actor, and recovering from a wipe that cannot be reversed.