Stryker lost tens of thousands of devices without a single piece of malware
Attackers compromised Stryker's Microsoft Entra credentials and used Intune to remotely wipe tens of thousands of employee devices. No malware was deployed. CISA responded with an emergency hardening advisory.
Stryker Corporation, a Fortune 500 medical technology manufacturer responsible for surgical equipment, orthopaedic implants and hospital infrastructure, had tens of thousands of employee devices remotely wiped on 11 March 2026. The attackers did not deploy ransomware. They did not drop a backdoor. They did not exploit a zero-day. They logged into Microsoft Entra with compromised credentials, gained administrative access to the company's Intune endpoint management environment and pressed the button that Intune was designed to provide: remote wipe.
CISA confirmed the incident on 18 March 2026 in an advisory that urged all organisations using endpoint management systems to harden their configurations immediately. The advisory cited the attack against a "US critical infrastructure organisation" and referenced Microsoft's own Intune hardening guidance. The subtext was clear: this was not a one-off.
What happened at Stryker
The attack chain, as reported by BleepingComputer and confirmed in CISA's advisory, followed a pattern that should alarm every organisation running a Microsoft cloud estate.
The attackers compromised credentials associated with Stryker's Microsoft Entra (formerly Azure Active Directory) environment. From there, they pivoted to the company's Intune instance, which manages device deployment, compliance policies, software distribution and, critically, remote device management actions including full device wipes. With sufficient administrative privileges, the attackers issued bulk wipe commands across the device fleet.
The result was tens of thousands of devices rendered inoperable simultaneously. Laptops, workstations, potentially mobile devices: all returned to factory state in a coordinated destructive action. No malware signature existed to detect because no malware was used. Every action the attackers took was performed through legitimate administrative interfaces using native platform capabilities.
This is living off the land taken to its logical extreme. The attack surface was not a software vulnerability. It was the management plane itself.
Why Intune is such a valuable target
Microsoft Intune sits at the centre of device lifecycle management for organisations running Microsoft 365 and Azure. It controls device enrolment, configuration profiles, compliance policies, application deployment and remote actions. An administrator with the right Entra role assignments can push software to every managed device, change security policies, read BitLocker recovery keys or wipe devices entirely.
For most organisations, Intune is the mechanism by which security policy is enforced on endpoints. It is also, by definition, the mechanism by which that enforcement can be undone. The same administrative capabilities that allow a security team to remotely wipe a stolen laptop allow an attacker to remotely wipe every laptop in the organisation.
The power concentration is significant. Unlike traditional on-premises management tools like System Center Configuration Manager (SCCM), which required network-level access to the management server, Intune is cloud-native. An attacker with valid Entra credentials and sufficient role assignments can reach it from anywhere. There is no VPN to breach, no network segmentation to bypass, no physical access to obtain. The entire attack surface is an identity with the right permissions.
This is not a theoretical concern. Microsoft's own documentation for Intune role-based access control lists dozens of built-in roles with varying levels of destructive capability. The "Intune Administrator" role in Entra, if assigned without constraint, grants full control over the entire device management environment. Conditional access policies can restrict when and from where these actions are permitted, but they must be configured deliberately. The default state of many Entra tenants is permissive.
The configuration gap
CISA's advisory is notable for what it emphasises: this was a configuration exploitation, not a software exploitation. No CVE was assigned because no vulnerability in the traditional sense was present. The software worked exactly as designed. The failure was in how the organisation configured its access controls around that software.
This distinction matters because it falls outside the standard vulnerability management workflow. Organisations with mature patching programmes, regular vulnerability scanning and well-maintained asset inventories can still be completely exposed at the configuration layer. There is no patch for "you gave too many people Intune Administrator and did not enforce MFA on those accounts."
CISA's hardening guidance focused on several specific configuration weaknesses:
Role-based access control. Organisations frequently over-provision administrative roles. Intune Administrator is often granted as a convenience to IT staff who need only a subset of its capabilities. Microsoft provides granular custom roles, but building and maintaining them requires deliberate effort that many organisations skip.
Multi-factor authentication on administrative accounts. This remains one of the most consistently exploited gaps in cloud environments. If an Entra account with Intune administrative privileges is protected only by a password, credential theft through phishing, infostealer malware or dark web purchases gives the attacker everything they need.
Conditional access policies. Even with MFA, an administrative action like a bulk device wipe should require additional validation: a trusted device, a trusted network location, an elevated authentication context. Many organisations enforce conditional access for user sign-ins but leave administrative actions unconstrained.
Audit logging and alerting. The Stryker attack involved a mass device wipe. That action generates telemetry in Intune's audit logs. Whether Stryker had alerting configured to detect anomalous bulk administrative actions is not publicly known, but the outcome suggests either the detection was absent or the response was too slow.
The pattern here echoes what we covered in the Coinbase insider breach: the gap between the access that legitimate operations require and the monitoring that surrounds that access is where attackers operate.
The healthcare dimension
Stryker is not a software company where a wiped laptop means a lost afternoon reinstalling applications. It manufactures surgical robots, orthopaedic implants and hospital bed systems. Its workforce includes engineers designing medical devices, quality assurance staff maintaining regulatory compliance, sales representatives coordinating with hospitals and field service technicians supporting equipment in operating theatres.
When tens of thousands of devices go offline simultaneously at a medical technology company, the blast radius extends beyond the company itself. If field service engineers lose access to maintenance documentation and diagnostic tools, hospital equipment may go unserviced. If quality systems are disrupted, manufacturing and distribution can halt. If regulatory submissions are delayed, product approvals stall.
The healthcare sector has historically been targeted for data theft: patient records, insurance information, research data. The Stryker attack represents something different. This was destruction for its own sake, or at least destruction as leverage. It is not clear whether a ransom demand accompanied the wipe, but the effect was the same: operational paralysis achieved through the organisation's own management infrastructure.
CISA's decision to issue a broad advisory rather than a Stryker-specific notification signals a belief that this attack model is replicable across sectors. Any organisation using Intune, or any comparable endpoint management platform, faces the same structural risk.
The identity perimeter problem
The Stryker incident is a case study in what happens when cloud identity becomes the primary security boundary and organisations fail to treat it as such.
In a traditional on-premises environment, an attacker who compromised an Active Directory administrator account still had to reach the domain controller, likely from inside the network. Network segmentation, VLAN isolation and physical access controls provided layers of defence independent of the identity layer. The attack surface was distributed across multiple control planes.
In a cloud-native Microsoft environment, Entra ID is the single control plane. It governs access to Microsoft 365, Azure resources, Intune, Defender and every SaaS application federated through it. Compromise a sufficiently privileged Entra identity and the attacker inherits access to everything that identity controls. There is no separate network to breach. There is no physical server to reach. The management plane is the network.
Microsoft has invested significantly in Entra security features: Privileged Identity Management (PIM) for just-in-time role activation, Conditional Access for context-aware access decisions, Identity Protection for risk-based sign-in policies. These are capable tools. But they require configuration, testing and ongoing maintenance. They are not enabled by default in the configurations that most organisations actually deploy.
Research into enterprise device identity management, including recent academic work on how MAC address randomisation is disrupting network access control systems, highlights a broader truth: the assumptions underlying device trust are shifting faster than most organisations' security architectures. Network-level device identification is becoming unreliable. Cloud-based device management is becoming the sole source of truth for device posture. When that sole source of truth is compromised, there is no fallback.
What defenders should do now
The CISA advisory is specific enough to serve as an audit checklist. But the underlying problem is cultural, not technical. Organisations treat Intune as an IT operations tool, not as a security-critical system. The permissions it grants, the actions it enables, the blast radius of its compromise: these are treated as operational concerns rather than security risks.
A minimum hardening baseline for Intune environments should include the following:
Enforce MFA for every account with any Intune administrative role. Not just Global Administrator. Every role that can modify device policies or execute remote actions.
Implement Privileged Identity Management so that administrative roles are activated on demand with time-limited scope rather than permanently assigned.
Configure conditional access policies that require compliant devices and trusted network locations for administrative actions, particularly destructive ones like device wipes.
Build alerting on Intune audit logs for anomalous patterns: bulk device wipe commands, rapid successive policy changes, administrative sign-ins from unusual locations or devices.
Review and reduce administrative role assignments. The principle of least privilege applies to cloud administration with particular force because the blast radius of over-provisioning is no longer bounded by network topology.
Test your detection. Simulate an administrative account compromise in a test environment and verify that your security operations centre actually sees the alert and responds within a timeframe that matters. A bulk wipe command that completes in minutes is not detected usefully by a process that escalates in hours.
The management plane is the attack surface
The Stryker attack did not require novel techniques, expensive tooling or nation-state resources. It required a set of credentials with too much privilege and an organisation that had not constrained the destructive capabilities those credentials unlocked. The attack used the product exactly as Microsoft built it to work. The wipe button is there because organisations need it. The question is who else can press it.
Every organisation running Intune, or Jamf, or Workspace ONE, or any cloud-native endpoint management platform, has given that platform the administrative equivalent of physical access to every managed device. The security of that platform is not an IT operations concern. It is the single highest-leverage target an attacker can reach, because compromising it converts a single identity into organisational-scale destruction.
CISA does not issue hardening advisories for theoretical risks. The Stryker incident was the proof of concept. The question for every other organisation is whether they will harden before the next one, or after.
Newsletter
One email a week. Security research, engineering deep-dives and AI security insights - written for practitioners. No noise.