For years, security teams have been trained to look for malware, suspicious files and anomalous activity. The Stryker attack made that playbook obsolete in a few hours.
Handala didn’t need to smuggle a weapon into Stryker’s environment. They stole a key, walked in through the front door, and used the company’s trusted security software to grind operations to a halt. With an admin executed command in Microsoft Intune, attackers were able to remotely wipe nearly 80,000 devices in around the world.
What the Stryker incident represents is a continuation of the shift in the threat landscape: the weaponization of trust itself. Identity is the perimeter, and when that perimeter falls, your most powerful operational tools become your most dangerous liabilities. The same platforms your IT team relies on to manage, protect, and recover your environment can be turned against you — at scale, at speed, and with almost no forensic trace.
The question every organization needs to answer right now isn’t “could this happen to us?” It’s “would we know before it was too late?”
The Stryker Breach: What Happened
Stryker Corporation, the Fortune 500 medical technology giant providing surgical equipment to hospitals worldwide, was hit by a devastating cyberattack on March 11, 2026. The group behind it (Handala, a pro-Iranian hacktivist operation linked to Iran’s Ministry of Intelligence and Security) claimed to have wiped over 200,000 systems, servers, and mobile devices, and extracted 50 terabytes of data. Investigators found no evidence of data exfiltration, but the destruction of endpoints was very real.
Within three hours, nearly 80,000 employee devices were remotely erased including laptops, workstations, and even personal phones. Employees who had enrolled their own devices in Stryker’s BYOD program lost everything: photos, banking apps, eSIMs, and the authenticator apps they relied on for personal accounts. Some departments lost up to 95% of their devices before anyone could react. Entire offices reverted to pen-and-paper workflows.
In its SEC filing, Stryker confirmed the attack “resulted in a global disruption to the Company’s Microsoft environment.” The company stated there was no ransomware and no evidence of malware deployed — because none was needed. The attackers used Microsoft Intune, a tool that Stryker (and tens of thousands of organizations around the world) trusted completely.
What Is a Microsoft Intune Attack?
Microsoft Intune is a cloud-based endpoint management platform that gives IT administrators a single console to manage every device in their organization, including corporate laptops, phones, tablets, and personal devices enrolled through BYOD programs. When a device is enrolled in Intune, it trusts Intune as an authority. If Intune sends a factory reset command, the device executes it immediately, without additional verification.
The ability to manage thousands of devices simultaneously is exactly what makes Intune valuable to IT teams. If devices are lost or stolen, or if employees or contractors need to be off-boarded, the remote wipe capability keeps corporate data and access to devices out of the hands of potential bad actors. But it also means that anyone with administrator-level access to Intune holds a kill switch for an entire organization’s endpoint fleet.
The Attack Chain: How Stryker Was Compromised
Step 1 — Initial Access
Adversary-in-the-Middle (AiTM) Phishing
Attackers used a phishing-as-a-proxy technique to intercept a real Microsoft login session. The victim completed legitimate MFA and the attacker captured the resulting session token, bypassing multi-factor authentication entirely. No malware on the victim’s device. No visible sign of compromise.
Step 2 — Privilege Escalation
Admin Account Compromised; New Global Admin Created
With a stolen session token, the attacker accessed a privileged administrator account and created a new Global Administrator account, giving them full, persistent control over Stryker’s Microsoft 365 environment, including Intune.
Step 3 — Lateral Movement
Living Off the Land (Silently)
From a monitoring perspective, this stage looked entirely normal. The attacker moved through legitimate administrative interfaces, modifying policies and reviewing configurations, indistinguishable from Stryker’s typical IT team activity.
Step 4 — Destruction
Remote Wipe Issued to ~80,000 Devices
Using Intune’s built-in Remote Wipe feature, the attacker issued factory reset commands to every enrolled device simultaneously. The platform, operating as intended, executed every command without additional verification.
“The things that bring us operational convenience are the same things that can be turned into the most destructive weapons,” said MacKenzie Brown, Cynet’s VP of Threat Intelligence Strategy. “We’ve responded to incidents where malware was deployed through Intune. In Stryker’s case, there was no malware, because there didn’t need to be. A remote wipe command did the job, and we haven’t seen nearly enough discussion about why it took so long for someone to use Intune this way at scale.”
The Stryker attack wasn’t a technical exploit of a software vulnerability. Intune worked as designed. Analysts at Forrester described the approach as living off the land — not a product flaw, but a trust model flaw. Security teams weren’t looking for a remote wipe command issued by a threat actor. They were looking for malware that was never there.
Understanding Wiper Attacks
Traditional wiper malware is software designed to permanently destroy data on infected systems. Unlike ransomware, which encrypts data and demands payment for the decryption key, wiper attacks skip the negotiation entirely. The goal is destruction, not extortion. Recovery is far more difficult because there’s nothing to decrypt; the data is simply gone.
Handala has used conventional wiper malware since emerging in December 2023, targeting Israeli organizations with Windows and Linux data-wiping tools. But the Stryker attack represents an evolution: instead of deploying malicious code, the group weaponized the victim’s own infrastructure. The result was identical (mass data destruction) but the method left almost no traditional forensic footprint.
“We’re living in an era defined by the abuse of trust. Threat actors aren’t building new weapons. They’re gaining access and abusing the implicit trust that identity brings. Once they have it, they can modify policies, push configurations, execute commands — all while being less noisy. You’re not looking for malware. You’re looking for someone who looks exactly like your IT team.”
MacKenzie Brown, VP, Threat Intelligence Strategy
This shift from deploying malware to abusing trusted platforms is part of a broader trend security professionals call “living off the land.” Attackers use native tools and legitimate administrative capabilities to achieve their objectives, making detection exponentially harder. Geopolitical context matters here, too. Handala stated the Stryker attack was retaliation for U.S. military strikes in Iran. Stryker was a high-value target: a Fortune 500 company with significant U.S. military medical device contracts and an Israeli subsidiary. The attack was not financially motivated, its purpose was destruction.
Why Managed Service Providers Should Be Paying Close Attention
For most enterprises, the Stryker breach is a cautionary tale. For MSPs, it’s an existential warning. MSPs rely on centralized management platforms, including Intune, to manage multiple clients, multiple tenants, and thousands of endpoints simultaneously. That’s the value proposition, but it’s also the attack surface.
“This is a critical case study in supply chain risk and privileged access management, and MSPs are inherently both. They rely on centralized systems to manage multiple clients, multiple tenants, and thousands of endpoints simultaneously. Intune is just MDM, but it falls in the same category as every primary centralized system MSPs use to run their business,” said Brown. “It’s being reported that Stryker started with adversary-in-the-middle phishing to bypass MFA and steal admin tokens. If you can gain admin access at the MSP level, every customer managed would be none the wiser. MSPs are effectively becoming proxies for threat actors to leverage that inherent trust. We need to ensure MSPs don’t become that single point of failure.”
A threat actor who compromises an MSP’s Intune administrator could get access to every organization that MSP manages. The Stryker attack demonstrates exactly how quickly that trust can be turned into mass destruction. Enterprise organizations, critical infrastructure, and trusted security partners and solution providers represent prime targets for hacktivists groups and financially motivated criminals alike.
CISA’s Guidance and What Organizations Must Do Now
Following the breach, CISA issued guidance urging all U.S. organizations to harden their Microsoft Intune environments. The agency specifically called out the risk to endpoint management systems and warned that similar attacks could target other networks.
Security researchers noted that Intune and similar platforms have a multi-account approval feature that requires more than one administrator to authorize destructive actions like device wipes, but that this control is frequently left disabled. The capability to prevent this attack existed inside Stryker’s environment. It just wasn’t configured.
Recommended Actions:
- Eliminate legacy authentication protocols across your Microsoft environment
- Enable risk-based access policies with continuous session evaluation
- Require phishing-resistant MFA (FIDO2 / passkeys) for all admin accounts — standard MFA does not stop AiTM phishing
- Enable multi-account approval for destructive Intune actions (remote wipe, factory reset)
- Ensure endpoint protection is deployed across every managed device
- Implement 24×7 monitoring focused on low-noise lateral movement and privilege escalation
- Test your BCDR plan end-to-end before you need to activate it
Business continuity and disaster recovery (BCDR) deserves particular attention. Many organizations have a plan that has never been tested end-to-end. A Stryker-style scenario creates two simultaneous crises: immediate BCDR activation across a globally distributed workforce, and the longer-tail risk of data that may have been exfiltrated.
“The Stryker lesson is that we’re still balancing basic cyber hygiene with privileged access management and the 24×7 monitoring you need to catch low-noise lateral movement and privilege escalation. CISA’s guidance is important, and we’d urge organizations to eliminate legacy authentication and enable risk-based access policies with continuous session evaluation. Make sure endpoint protection is deployed across every managed device — not just configured, but actually deployed — and prepare for destructive scenarios,” warned Brown.
The New Normal: Trust is the Attack Surface
The Stryker breach happened because an attacker gained the trust of a legitimate administrator and then used that trust to do everything that admin could do. The platform performed flawlessly, but the security controls around it failed.
This is the defining challenge of modern enterprise security. Identity-based attacks look like normal users going about their work, or at times, administrator behavior. Instead of wondering if tools are secure tools are secure, teams now have to ask whether they’d know if someone who looks exactly like an admin was using them maliciously. While there no one-size fits all answer, staying vigilant when new attacks emerge and fast-tracking recommended security controls is always the best course of action.
