Iran-linked group Void Manticore is exploiting administrative access via Microsoft Intune to delete servers and workstations.
In early March 2026, Israel’s National Cyber Directorate reported a wave of coordinated intrusions against Israeli organizations. Attackers had obtained credentials from legitimate corporate users and used them to gain access to internal networks, subsequently deleting servers and workstations. The stated objective was not data theft but operational disruption. The same pattern has been observed in incidents affecting organizations in the United States.
The group behind these operations is tracked under several names — Handala Hack, Void Manticore, COBALT MYSTIQUE, and Storm-1084/Storm-0842. It first appeared in late 2023 with messaging that suggested a hacktivist orientation. Threat intelligence analysts now assess it to be a state-directed front for Iran’s Ministry of Intelligence and Security (MOIS). The group’s primary access method involves phishing campaigns targeting identity credentials, followed by exploitation of Microsoft Intune to execute mass wipe commands across enrolled devices.
Palo Alto Networks Unit 42, which is monitoring the escalation, has published a threat brief characterizing the risk as active and ongoing. The underlying vulnerability is not a software flaw but an architectural one: organizations that grant standing administrative privileges expose themselves to immediate, large-scale damage the moment those credentials are compromised.
Standing Privileges as the Central Attack Surface
Administrative accounts that carry permanent, always-on permissions represent the single greatest risk factor in identity-based attacks. Once an attacker obtains such credentials — whether through phishing, session token theft, or credential stuffing — they can act with full administrative authority without triggering additional verification steps.
The recommended countermeasure is a just-in-time (JIT) access model. Under this approach, accounts hold zero permissions by default. Elevated rights are granted only through a formal activation process, time-limited and logged. Microsoft’s Entra Privileged Identity Management (PIM) provides a native mechanism for this within the Microsoft 365 and Azure ecosystem, requiring multi-factor authentication and, for high-risk roles, manual approval before activation. For organizations operating hybrid or multi-cloud environments, vaulting administrative credentials in a dedicated privileged access management solution adds an additional layer of isolation, ensuring that Intune credentials never reside on a potentially compromised endpoint.
Hardening Entra ID and Constraining Wipe Authority
The number of Global Administrator and Intune Administrator accounts should be reduced to the minimum required for operations. Where possible, device management staff should be assigned the specific Intune Administrator role rather than the broader Global Administrator designation. Cloud-native administrative accounts — those not synchronized from on-premises Active Directory — prevent lateral movement that would otherwise be possible if an attacker compromises a domain-joined machine.
Microsoft’s multi-administrator approval (MAA) feature addresses the specific risk of wiper commands being issued by a single compromised account. When enabled, high-impact actions such as a mass device wipe require a second administrator to review and authorize the request before execution. Restricting wipe capabilities to designated emergency-access accounts — excluded from standard conditional access policies but protected by hardware-based authentication and monitored with high-severity alerts — further narrows the attack surface.
Session and token security round out this layer of defense. Shortening session lifetimes for administrative portals to under one hour reduces the window of opportunity for stolen session tokens. Microsoft’s Token Protection feature, currently in preview for Entra ID, cryptographically binds session tokens to the device from which they were issued, preventing replay attacks on different machines.
Detection, Response, and Recovery
Defensive architecture alone is insufficient without corresponding detection capability. Audit logs from Intune — particularly RemoteWipe and FactoryReset events — should be ingested into a SIEM or XDR platform in real time. Automated responses should be configured to trigger an immediate lockout of an initiating administrator account if a mass wipe threshold is crossed within a defined time window. Sign-in anomalies, such as an administrator connecting from an unusual country or outside approved network ranges, warrant immediate investigation.
Data governance and protection programs address a parallel concern. Sensitive data should be discovered, classified, and labeled, enabling granular access controls and persistent encryption regardless of where data resides. Data loss prevention technologies can alert on and block abnormal outbound data flows from storage accounts, which may indicate exfiltration preceding a destructive operation.
Given that Handala’s objective is disruption rather than financial extortion, recovery capability is as important as prevention. Offline, immutable backups — air-gapped from the production environment — may be the only reliable path to restoration if a wiper attack succeeds. Organizations that rely solely on cloud-connected backup services risk losing those copies alongside primary data if an attacker retains administrative access during the attack window.
The Human Factor
Technical controls are undercut when users and administrators are not equipped to recognize the methods that enable initial access. Handala’s operations depend on phishing as the entry point. Regular phishing simulations, targeted cybersecurity training for staff, and tabletop exercises that model a destructive actor scenario — rather than a ransomware negotiation — help prepare organizations for the specific threat pattern in question. Incident response plans should include a documented procedure for mass device wipe events, with clear escalation paths and pre-authorized response actions.
The pattern emerging from these incidents reflects a broader shift in Iranian cyber operations: from espionage and data theft toward operations designed to deny organizations the use of their own infrastructure. For security teams, the implication is that protective measures need to account not just for exfiltration scenarios, but for the scenario in which an adversary — holding valid credentials — attempts to erase as much as possible before being detected.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de