When the Admin Console Becomes the Weapon
- info929522
- Mar 21
- 7 min read
The Stryker breach didn’t use malware. It uses your own device management platform. Here’s what happened, why it worked, and how to make sure it doesn’t happen to you.
On the morning of March 11, 2026, employees at Stryker Corporation arrived at their desks to find their screens blank. Laptops. Phones. All of it. Wiped. No ransom note. No encrypted files waiting for a decryption key. Just gone. 200,000+ devices across 79 countries, factory-reset overnight.
There was no novel exploit. No zero-day. No malware that slipped past endpoint detection. The attackers walked in through a door that IT teams around the world leave wide open every single day: a single administrative account with permanent, unrestricted access to Microsoft Intune.
INCIDENT REPORT: MARCH 11, 2026Stryker Corporation: Global Device WipeIran-linked hacktivist group Handala, tied to Iran’s Ministry of Intelligence and Security, claimed responsibility for a devastating attack against Stryker, a Fortune 500 medical technology manufacturer with 56,000 employees and $25 billion in annual revenue. Attackers reportedly gained access to Stryker’s Microsoft Intune management console and issued mass remote wipe commands. These were the same built-in commands IT teams use when a corporate device is lost or stolen. Stryker confirmed in an SEC filing that the attack caused “disruptions and limitations of access” to systems worldwide, disrupting order processing, manufacturing, and shipping. Handala also claimed to have stolen 50TB of company data. |
200K+ | 79 | 50TB | $25B |
DEVICES WIPED | COUNTRIES AFFECTED | DATA CLAIMED STOLEN | ANNUAL REVENUE |
How Did They Do It?
The attack didn’t involve custom malware or sophisticated exploits. Researchers describe it as a “living off the land” technique, where attackers use tools that already exist inside the environment.
01 | Initial Access: Attackers compromised high-privilege administrative credentials, most likely for a Global Administrator or Intune Administrator account. The exact method hasn’t been confirmed publicly, but phishing and credential theft remain the most common vectors. |
02 | Console Access: Using those credentials, attackers logged into Stryker’s Microsoft Intune management portal, a cloud-based web console accessible from any browser, anywhere in the world. |
03 | Mass Wipe: From that single console, they selected all enrolled devices (Windows laptops, iPhones, Android phones) and triggered the built-in Remote Wipe command. No second approval required. No safeguards to bypass. |
04 | Cascading Impact: Every managed device received a legitimate wipe command from its trusted MDM server. The OS obeyed immediately. Personal BYOD devices were wiped too, deleting personal photos, eSIMs, and 2FA apps and locking employees out of their own banking apps. |
“They seem to have obtained access to the Microsoft Intune management console. This is a solution for managing corporate devices.” Rafe Pilling, Director of Threat Intelligence, Sophos |
The attack was effective not because it was sophisticated, but because it was simple. One account. One console. One click. The entire device fleet, gone. There was nothing for endpoint detection to catch. It looked exactly like a legitimate admin performing a routine device wipe.
Why This Matters for Every Organization
You might be thinking: “We’re not a Fortune 500. We’re not in the medical device industry. Iran isn’t coming after us.” And you might be right about Iran.
But the conditions that made Stryker vulnerable exist in thousands of organizations right now:
• A single account holds permanent Global Administrator access
• Helpdesk staff have more permission than their role requires
• High-impact actions like device wipes require no secondary approval
• BYOD devices are enrolled in full MDM instead of app-level management
• No alerts exist for bulk destructive actions
If a disgruntled employee, a phished helpdesk worker, or any attacker gains access to your Intune console, the question isn’t whether they can cause damage. The question is how much guardrail you’ve put in the way.
⚠ BYOD Warning The Stryker attack didn’t just wipe corporate laptops. It wiped personal phones enrolled under the company’s bring-your-own-device program. Employees lost personal photos, had their eSIMs deleted, and were locked out of personal banking apps because their 2FA authenticator was on the wiped device. Full MDM enrollment of personal devices creates significant collateral damage risk. |
The Real Problem: Permanent Privilege
At the core of most of these incidents is the same design mistake: permanent administrative privilege. An account that is always a Global Admin, 24/7, 365 days a year, whether the administrator is actively using it or not.
This means a stolen credential doesn’t just let an attacker into your email. It immediately hands them the master remote control to every device in your organization.
The solution isn’t complicated. It’s just not implemented by default. Here’s what a secure setup actually looks like.
What to Do: A Practical Hardening Roadmap
01 CRITICAL Enable Multi-Admin Approval Turn on Multi-Admin Approval (MAA) in Intune so that device wipe requests require a second administrator to approve before execution. This single control would have stopped the Stryker attack cold. |
02 CRITICAL Remove Permanent Global Admin No account should be permanently assigned Global Administrator. Use Privileged Identity Management (PIM) in Entra ID to make admin roles eligible-only, requiring activation with MFA and justification. |
03 HIGH Scope Helpdesk Roles Properly Your helpdesk does not need Global Admin. Assign the Intune Help Desk Operator role. They can sync devices, reset passcodes, and troubleshoot without the ability to wipe the fleet or change policies. |
04 HIGH Separate Admin Accounts Administrators should have two accounts: one for daily work (email, Teams), one exclusively for admin tasks. A phishing attack against the daily account should not hand over admin credentials. |
05 HIGH Enforce Conditional Access Require phishing-resistant MFA (FIDO2 hardware keys), managed/compliant devices, and named location restrictions for all admin sign-ins. Block admin logins from personal or unmanaged machines. |
06 MEDIUM Switch BYOD to MAM Move personal devices from full MDM enrollment to Mobile Application Management (MAM). Intune can protect corporate data within apps without owning the entire device, eliminating the wipe-everything risk. |
07 MEDIUM Create Break-Glass Accounts Maintain two emergency Global Admin accounts with long passwords, no MFA dependency, excluded from Conditional Access, and stored securely. These are your lifeline if identity systems fail. |
08 MEDIUM Alert on Bulk Destructive Actions Configure monitoring and alerts in Microsoft Sentinel or Entra ID for mass device wipe commands, new Global Admin creation, Conditional Access policy changes, and PIM elevation requests. |
Role Structure: What It Should Look Like
Most small and mid-size organizations over-assign roles because it’s easier. Here’s a practical structure that gives each level exactly what they need and nothing more:
Level | Role | Can Do | Cannot Do |
Tier 1 - Helpdesk | Intune Help Desk Operator | Sync device, reset passcode, view device info, wipe a single device | Create policies, manage admins, change tenant settings |
Tier 2 - Endpoint Admin | Intune Administrator | Manage policies, device groups, compliance, complex issues | Manage identity, assign privileged roles, access Entra ID settings |
Tier 3 - Identity Admin | Privileged Role Administrator | Manage PIM, approve role elevation, assign admin roles | Configure devices, manage Intune policies directly |
Emergency / Break-Glass | Global Administrator (PIM + Approval) | Tenant configuration, disaster recovery, rare tasks | Daily use. This account should rarely ever be activated. |
PIM in Practice: What the New Workflow Looks Like
Once Privileged Identity Management is configured, the experience for your administrator changes from “I always have God-mode” to something much more controlled:
01 | Normal Login: Admin logs in with their daily account. No admin privileges active. |
02 | Request Elevation: When admin work is needed, the admin requests their eligible role through the PIM portal. |
03 | MFA + Justification: They complete phishing-resistant MFA and provide a justification for why they need the role (e.g., “deploying new compliance policy”). |
04 | Approval (Optional): For Global Admin, a second person can be required to approve the request before it activates, giving you two-person control. |
05 | Timed Access: Role is active for 15 to 60 minutes, then automatically revoked. Every elevation is fully logged. |
✅ Key Outcome A stolen credential no longer immediately grants admin control. The attacker would also need to pass phishing-resistant MFA (a hardware key they don’t have) and get a second person to approve the elevation. That’s not impossible, but it’s a completely different problem than “type in password, own the tenant.” |
The Geopolitical Context (And Why It Matters Beyond Iran)
The Stryker attack didn’t happen in a vacuum. Handala targeted Stryker specifically because of its 2019 acquisition of OrthoSpace, an Israeli medical technology company, framing it as a “Zionist-rooted corporation” in their manifesto. The attack is widely understood as retaliation for U.S. military involvement in the ongoing Iran conflict.
But here’s the thing security teams need to understand: geopolitical targeting criteria shift constantly. Iranian officials have publicly warned they will expand targeting to U.S. companies with ties to Israel, including acquisitions, partnerships, and investment relationships. That’s a wider net than most organizations realize.
More importantly, the technique used here has nothing to do with Iran. Compromising an admin account and issuing wipe commands is available to any attacker, nation-state or otherwise: ransomware groups, insider threats, disgruntled former employees. The controls that would have stopped Handala are the same controls that stop everyone else.
Your Action List
If you’re running Microsoft Intune and Entra ID, regardless of your organization’s size, here’s where to start this week:
1. Enable Multi-Admin Approval in Intune. This is the single highest-impact control for preventing mass destructive actions. It should be on everywhere.
2. Audit your current role assignments. Who has Global Admin? Who has Intune Administrator? Are those permanent? Should they be?
3. Turn on PIM for privileged roles. At minimum, Global Admin and Intune Administrator should be eligible-only, never permanent.
4. Review your BYOD enrollment policy. Consider migrating personal devices from MDM to MAM-only policies.
5. Set up alerts for bulk wipe commands. Any wipe of more than 3 to 5 devices in a short window should fire an immediate notification.
6. Create and document your break-glass accounts. You don’t want to be figuring this out during an incident.
These aren’t exotic controls. They’re built into the Microsoft stack you’re already paying for. The gap at most organizations isn’t capability. It’s configuration.
Stryker had the tool. They just hadn’t put the guardrails on it. Don’t be Stryker.
Comments