A Chinese espionage cluster tracked as UNC5221 is actively conducting targeted intrusions against Microsoft 365 environments. This campaign is notable for the use of the "Brickstorm" unauthorized access mechanism and the deployment of two previously undocumented malware families: Plenet and AgentPSD.
For defenders, this represents a critical shift in tradecraft. The objective of this group is long-term persistence within sensitive networks. If your organization relies on Microsoft 365 for email or collaboration, you are in the crosshairs. Immediate action is required to audit your environment for these specific indicators and lock down identity configurations to prevent the Brickstorm access mechanism from succeeding.
Technical Analysis
Affected Platforms:
- Microsoft 365 (Exchange Online, Entra ID)
- Hybrid environments leveraging on-premises Exchange connectivity
Threat Actors:
- UNC5221 (Chinese-linked espionage group)
Attack Chain & Mechanics:
-
Initial Access (Brickstorm): The attackers utilize the "Brickstorm" mechanism to gain unauthorized access to Microsoft 365 environments. While details are emerging, this mechanism typically involves abusing valid credentials or misconfigurations to establish a foothold within the cloud tenant, bypassing standard authentication controls.
-
Persistence & Payload Delivery: Once access is established, UNC5221 deploys Plenet and AgentPSD.
- Plenet: A previously undocumented malware likely functioning as a backdoor or downloader, designed to maintain communication with C2 infrastructure.
- AgentPSD: A novel tool likely used for defense evasion, data staging, or lateral movement within the compromised environment.
-
Objective: The primary goal is espionage. By maintaining persistent access via these tools, the actors can exfiltrate sensitive data and monitor communications over extended periods without detection.
Exploitation Status:
- Confirmed Active Exploitation: UNC5221 is currently leveraging these tools in the wild against high-value targets.
Detection & Response
To detect active compromises by UNC5221 involving Plenet and AgentPSD, implement the following detection logic.
Sigma Rules
---
title: UNC5221 Malware Execution - Plenet or AgentPSD
id: 8a2b1c90-5d6e-4f3a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects the execution of known UNC5221 malware Plenet or AgentPSD based on process names or command line arguments.
references:
- https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'plenet'
- 'agentpsd'
CommandLine|contains:
- 'plenet'
- 'agentpsd'
condition: selection
falsepositives:
- Legitimate software with similar names (unlikely)
level: critical
---
title: UNC5221 File Creation - Brickstorm Artifacts
id: 9b3c2d01-6e7f-5a4b-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects the creation of files associated with the Plenet or AgentPSD malware families in suspicious directories.
references:
- https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1190
logsource:
category: file_create
product: windows
detection:
selection:
TargetFilename|contains:
- 'plenet'
- 'agentpsd'
filter:
TargetFilename|contains:
- '\AppData\Local\Temp\' # Common abuse path
condition: selection
falsepositives:
- Unknown
level: high
---
title: Suspicious PowerShell - Brickstorm Access Pattern
id: 0c4d3e12-7f80-6b5c-1d3e-4f5a6b7c8d9e
status: experimental
description: Detects PowerShell commands often associated with unauthorized access mechanisms like Brickstorm in M365 contexts (e.g., manipulating mailbox rules or roles).
references:
- https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.persistence
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'New-ManagementRoleAssignment'
- 'Add-MailboxPermission'
- 'Set-InboxRule'
condition: selection
falsepositives:
- Administrative exchange management
level: medium
**KQL (Microsoft Sentinel / Defender)**
// Hunt for Plenet or AgentPSD process activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "plenet"
or ProcessCommandLine has "agentpsd"
or FileName has "plenet"
or FileName has "agentpsd"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
// Hunt for file creation artifacts
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName has "plenet" or FileName has "agentpsd"
| project Timestamp, DeviceName, FolderPath, FileName, SHA256
| order by Timestamp desc
**Velociraptor VQL**
-- Hunt for Plenet or AgentPSD processes
SELECT Pid, Name, CommandLine, Exe
FROM pslist()
WHERE Name =~ "plenet" OR Name =~ "agentpsd"
-- Hunt for malicious artifacts on disk
SELECT FullPath, Size, Mtime
FROM glob(globs="C:\\**\\*plenet*")
UNION SELECT FullPath, Size, Mtime
FROM glob(globs="C:\\**\\*agentpsd*")
**Remediation Script (PowerShell)**
# Remediation Script for UNC5221 Indicators
# Requires Administrator Privileges
Write-Host "Starting hunt for UNC5221 malware (Plenet, AgentPSD)..." -ForegroundColor Cyan
# 1. Kill suspicious processes
$malwareProcesses = @("plenet", "agentpsd")
foreach ($proc in Get-Process) {
foreach ($malName in $malwareProcesses) {
if ($proc.ProcessName -like "*$malName*") {
Write-Host "[!] Terminating suspicious process: $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor Red
Stop-Process -Id $proc.Id -Force
}
}
}
# 2. Scan and remove file artifacts
Write-Host "Scanning for malicious files..." -ForegroundColor Cyan
$drives = @("C:\") # Add additional drives as needed
$foundFiles = @()
foreach ($drive in $drives) {
$files = Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue `
| Where-Object { $_.Name -like "*plenet*" -or $_.Name -like "*agentpsd*" }
foreach ($file in $files) {
Write-Host "[!] Found malicious artifact: $($file.FullName)" -ForegroundColor Yellow
$foundFiles += $file.FullName
# Remove file (Uncomment below to enable deletion)
# Remove-Item -Path $file.FullName -Force -Confirm:$false
}
}
if ($foundFiles.Count -eq 0) {
Write-Host "No immediate artifacts found on local filesystem." -ForegroundColor Green
} else {
Write-Host "[+] Artifacts identified. Please review and delete." -ForegroundColor Red
}
Remediation
-
Identity Compromise Assessment: Assume that valid credentials have been stolen via the Brickstorm mechanism. Force a password reset for all privileged accounts and users with access to sensitive mailboxes.
-
Investigate OAuth Applications: UNC5221 frequently uses illicit token grants. Audit all OAuth applications in your Entra ID tenant. Revoke access to any app that was created around the time of the suspected intrusion or uses high-risk permissions (e.g.,
ReadWrite.All,Mail.ReadWrite). -
Remove Malware Artifacts: Isolate hosts identified in the detection phase. Use the provided PowerShell script to locate and remove
PlenetandAgentPSDbinaries. Re-image the host if evidence of lateral movement exists. -
Audit Exchange Rules: Review Inbox Rules and Transport Rules for unauthorized forwarding or deletion rules often used to hide intrusion activity.
-
Block C2 Infrastructure: Work with your security vendor to block network indicators associated with UNC5221 C2 servers.
-
Official Advisory: Refer to the latest advisories from Microsoft regarding UNC5221 activity for any emergency patches or configuration hardening guidance specific to the Brickstorm vector.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.