ProductUS

Microsoft Entra Identity

Microsoft's cloud identity platform whose Enterprise App scopes were abused by UNC5221 for mail access without deploying malware.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Can Chinese hackers access your Microsoft emails without any malware on your computer?

Timeline for Microsoft Entra Identity

#117 Apr

BRICKSTORM dwell hits 393 days, Mandiant

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

How did BRICKSTORM hackers access Microsoft email accounts without any malware?: UNC5221 registered malicious Enterprise Applications in victims' Microsoft Entra ID (formerly Azure AD) tenants with mail.read or full_access_as_app Graph API scopes, giving persistent mailbox access without deploying endpoint malware. The technique leaves only an app registration in the Entra portal.Source: Mandiant M-Trends 2026
What is Microsoft Entra and how is it different from Active Directory?: Microsoft Entra Identity (formerly Azure Active Directory) is Microsoft's Cloud identity and access management service providing authentication and SSO for Microsoft 365 and third-party apps. Unlike on-premises Active Directory, it manages Cloud and hybrid identity with OAuth-based application permissions.

Background

Microsoft Entra Identity (formerly Azure Active Directory) was abused by UNC5221 during BRICKSTORM intrusions via legitimate Enterprise App registrations with `mail.read` or `full_access_as_app` permission scopes, enabling persistent mail access without deploying endpoint malware. The technique exploits the standard OAuth consent workflow: a malicious Enterprise App with appropriate scopes is indistinguishable from a legitimate business application until the permissions are audited.

Entra ID is Microsoft's Cloud-based identity and access management service, providing authentication, authorisation and single sign-on for Microsoft 365 and third-party applications. Enterprise App registrations allow applications to request delegated or application-level permissions to Microsoft Graph APIs, including mail access. BRICKSTORM's abuse of this mechanism leaves no malware on endpoints; the only artefact is an Enterprise App registration in the tenant's Entra ID portal.

For Microsoft 365 administrators and identity engineers, the BRICKSTORM Entra abuse is the reference case for why Enterprise App permission audits must be a standing security control rather than a one-time review. An app with `full_access_as_app` scope on Exchange Online can read every user's mailbox; without a recurring consent-grant review, a UNC5221-style intrusion can persist at the mail-access layer indefinitely after the initial access vector is closed.

How the World Sees Them

Microsoft

Enterprise App abuse is a known OAuth risk Microsoft has published guidance on; BRICKSTORM's use of it in a 393-day dwell campaign elevates it from advisory to NCSC and CISA formal alert.

Microsoft 365 administrators

Enterprise App consent-grant audits are now a mandated identity security control for organisations in the sectors targeted by UNC5221.

UK legal sector (primary BRICKSTORM target)

Law firms and BPOs relying on Microsoft 365 without recurring Enterprise App permission reviews are directly exposed to the BRICKSTORM persistence technique.