
Microsoft Entra Identity
Microsoft's cloud identity platform whose Enterprise App scopes were abused by UNC5221 for mail access without deploying malware.
Last refreshed: 17 April 2026 · Appears in 1 active topic
Can Chinese hackers access your Microsoft emails without any malware on your computer?
Timeline for Microsoft Entra Identity
BRICKSTORM dwell hits 393 days, Mandiant
Cybersecurity: Threats and DefencesHow did BRICKSTORM hackers access Microsoft email accounts without any malware?
What is Microsoft Entra and how is it different from Active Directory?
Background
Microsoft Entra Identity (formerly Azure Active Directory) was abused by UNC5221 during BRICKSTORM intrusions via legitimate Enterprise App registrations with `mail.read` or `full_access_as_app` permission scopes, enabling persistent mail access without deploying endpoint malware. The technique exploits the standard OAuth consent workflow: a malicious Enterprise App with appropriate scopes is indistinguishable from a legitimate business application until the permissions are audited.
Entra ID is Microsoft's cloud-based identity and access management service, providing authentication, authorisation and single sign-on for Microsoft 365 and third-party applications. Enterprise App registrations allow applications to request delegated or application-level permissions to Microsoft Graph APIs, including mail access. BRICKSTORM's abuse of this mechanism leaves no malware on endpoints; the only artefact is an Enterprise App registration in the tenant's Entra ID portal.
For Microsoft 365 administrators and identity engineers, the BRICKSTORM Entra abuse is the reference case for why Enterprise App permission audits must be a standing security control rather than a one-time review. An app with `full_access_as_app` scope on Exchange Online can read every user's mailbox; without a recurring consent-grant review, a UNC5221-style intrusion can persist at the mail-access layer indefinitely after the initial access vector is closed.