This was more likely an Intune admin getting phished. Intune has a built-in wipe action: https://learn.microsoft.com/en-us/intune/intune-service/remo....