Microsoft Intune Under Attack: What the Stryker Breach Means for Your Business

Reza

If your business uses Microsoft 365 and manages employee devices through Microsoft Intune, you need to read this.

On March 11, 2026, medical technology giant Stryker Corporation suffered a devastating cyberattack that wiped nearly 80,000 devices - computers, phones, tablets - across their global operations. The attack disrupted manufacturing, delayed surgeries for patients awaiting medical devices, and brought a Fortune 500 company to its knees.

The weapon? Microsoft Intune's own device management features, turned against the company by attackers who gained admin access.

Now, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning every organization that uses Intune to harden their configurations immediately. This isn't a theoretical threat. It's happening now, and small businesses are just as vulnerable as Fortune 500 companies.

What Happened at Stryker

The timeline tells the story.

In the early morning hours of March 11, 2026, attackers with compromised administrator credentials created a new Global Administrator account in Stryker's Microsoft environment. Using that elevated access, they logged into Microsoft Intune - the cloud-based tool Stryker uses to manage and secure employee devices.

Once inside Intune, the attackers used a built-in feature called "wipe" - designed to let IT administrators remotely erase lost or stolen devices - and pushed that command to approximately 80,000 endpoints across Stryker's global network.

Computers went blank. Phones reset to factory settings. Work disappeared.

The Iranian-linked hacktivist group Handala claimed responsibility, stating the attack was retaliation for an incident in Iran. Before wiping the devices, the attackers claim they exfiltrated 50 terabytes of corporate data.

The impact? Stryker couldn't process orders. They couldn't manufacture products. They couldn't ship to customers. Hospitals waiting for surgical equipment had to delay procedures.

This wasn't ransomware demanding payment. This was a wiper attack designed to cause maximum damage.

Why This Matters to Small Businesses

You might think, "We're not a Fortune 500 company. Why would hackers target us?"

That's exactly what makes you vulnerable.

Microsoft Intune is widely used by businesses of all sizes - any company with Microsoft 365 Business Premium or Enterprise licenses likely has Intune available, whether you know it or not. If you manage employee devices remotely, set up mobile device policies, or use conditional access rules, you're probably using Intune.

The same features that help you manage devices - remote wipe, app deployment, security policies - become weapons if an attacker gains administrator access. And unlike large enterprises with dedicated security teams, many small businesses don't have the resources to monitor for suspicious admin activity or enforce strict controls on privileged accounts.

Attackers know this. They scan for misconfigured systems, test for weak credentials, and exploit the fact that small businesses often run with minimal security hardening.

How the Attack Works

Understanding the attack chain helps you defend against it.

Step 1: Initial Compromise

Attackers gain access to an administrator account, typically through phishing, credential stuffing (using passwords leaked from other breaches), or exploiting unpatched vulnerabilities. For Stryker, researchers believe attackers compromised an existing admin account first.

Step 2: Privilege Escalation

Once inside with basic admin access, the attackers create a new Global Administrator account. This gives them unrestricted control over the Microsoft environment, including Intune.

Step 3: Reconnaissance

The attackers explore the environment, identify which devices are enrolled in Intune, and plan their attack. In Stryker's case, they spent time exfiltrating data before executing the wipe.

Step 4: Execution

Using Intune's remote wipe feature - a legitimate management tool - the attackers send wipe commands to every enrolled device. The devices comply because the command comes from a trusted administrator account through a trusted management platform.

Step 5: Damage

Devices erase themselves. Data is gone. Systems are offline. Operations grind to a halt.

The elegant, terrifying aspect of this attack is that it uses legitimate features. There's no malware to detect, no suspicious file to block. The threat comes from abuse of trusted administrative tools.

CISA's Warning and Recommendations

On March 18, 2026, CISA issued an urgent alert warning all U.S. organizations to harden their endpoint management systems, specifically calling out Microsoft Intune.

CISA's message is blunt: "We are aware of malicious cyber activity targeting endpoint management systems of U.S. organizations." They're not waiting for more victims - they're trying to prevent the next wave of attacks.

Here's what CISA and Microsoft recommend you implement immediately.

1. Enforce Least Privilege Access

Not every IT admin needs full Global Administrator rights. Microsoft Intune includes role-based access control (RBAC) that lets you assign granular permissions.

For example:

  • Help desk staff who reset passwords don't need device wipe permissions
  • Application deployment admins don't need the ability to modify security policies
  • Most day-to-day IT tasks can be handled with specialized roles, not Global Admin access

Review every admin account in your organization. Ask: "What does this person actually need to do?" Then assign only those specific permissions.

Many small businesses default to giving everyone IT-related "full admin" because it's simpler. That convenience becomes a liability when an account is compromised.

2. Require Multi-Factor Authentication (MFA) for All Admin Accounts

If you take away one thing from this article, make it this: every administrator account must have MFA enabled. No exceptions.

When attackers compromised Stryker's admin account, MFA would have stopped the attack cold. Even with a stolen password, the attacker couldn't log in without the second factor.

Microsoft Entra ID (formerly Azure AD) makes this straightforward:

  • Navigate to Microsoft Entra admin center
  • Go to Conditional Access policies
  • Create a policy requiring MFA for all users with admin roles
  • Apply immediately

If you're not sure how to set this up, your IT support provider can configure it in minutes.

3. Implement Multi-Admin Approval for High-Risk Actions

This is the control that would have stopped the Stryker attack entirely.

Microsoft Intune supports multi-admin approval, requiring a second administrator to review and approve sensitive changes before they take effect. High-risk actions include:

  • Device wipes
  • App deployments
  • RBAC modifications
  • Security policy changes

With multi-admin approval enabled, the attacker's wipe command would have sat in a pending state, waiting for a second admin to approve it. Your legitimate IT team would have seen the unauthorized request and blocked it.

Microsoft expanded this feature in 2026 to cover more policy types, including configuration policies and compliance policies. If your Intune environment doesn't have this enabled, you're exposed.

4. Use Conditional Access to Restrict Admin Sign-Ins

Conditional Access policies let you set additional requirements before allowing admin sign-ins. For example:

  • Require admin logins to come from specific trusted IP addresses (your office, VPN)
  • Block admin access from countries where you don't operate
  • Require compliant, managed devices for admin access (no signing in from personal phones)

These policies add friction, but that friction stops attackers who've compromised credentials but don't have physical access to your trusted locations and devices.

5. Monitor Admin Activity and Enable Alerts

You need visibility into what your admins are doing. Microsoft Entra ID logs all administrative actions, but logs don't help if nobody reviews them.

Set up alerts for suspicious activity:

  • New Global Administrator accounts created
  • Admin sign-ins from unusual locations
  • Bulk device wipes or policy changes
  • Failed MFA attempts for admin accounts

Many small businesses lack the staff to monitor logs 24/7. Managed security service providers can handle this, watching for anomalies and alerting you immediately when something looks wrong.

6. Implement Privileged Access Workstations (PAWs)

For businesses with the resources, dedicated privileged access workstations provide an additional layer of security. These are hardened devices used exclusively for administrative tasks - no email, no web browsing, no day-to-day work.

This prevents attacks where an admin clicks a phishing link on their regular workstation and inadvertently compromises their admin credentials.

For smaller businesses, a simpler version is to require admins to use separate, non-admin accounts for daily work and only switch to admin accounts when performing actual administrative tasks.

What to Do Right Now

If you're reading this and your stomach is sinking because you're not sure how your Intune environment is configured, here's your action plan.

Today:

  1. Verify MFA is enabled for all administrator accounts. If not, enable it immediately.
  2. Review who has Global Administrator access. Remove anyone who doesn't absolutely need it.
  3. Check if multi-admin approval is configured for device wipes and other high-risk actions.

This Week:

  1. Audit all administrator accounts and their assigned roles. Apply least-privilege principles.
  2. Set up Conditional Access policies to restrict admin sign-ins.
  3. Configure alerting for suspicious admin activity.
  4. Test your incident response procedures - what would you do if devices started wiping?

This Month:

  1. Conduct a full review of your Microsoft 365 and Intune security posture.
  2. Document your admin approval processes.
  3. Train your team on recognizing phishing and social engineering attempts targeting admin accounts.
  4. Consider engaging a managed IT service provider if you lack internal expertise.

The Bigger Picture: Trusted Tools as Attack Vectors

The Stryker attack represents a troubling trend in cybersecurity. Attackers are moving away from sophisticated malware and toward abuse of legitimate administrative tools.

Why? Because it works.

When an attacker deploys ransomware, antivirus software might catch it. Security tools flag suspicious file activity. Alerts trigger.

But when an attacker uses Intune's built-in wipe feature with valid admin credentials? The system sees a legitimate command from a legitimate account using a legitimate feature. There's nothing to flag. The attack looks like normal administrative activity until it's too late.

This is why identity security has become the most critical aspect of cybersecurity. Protecting your admin accounts is protecting your entire environment.

Industry-Specific Considerations

Certain industries face additional risks and compliance requirements when it comes to endpoint management security.

Healthcare Organizations: If you're managing medical devices or systems that fall under HIPAA, a device wipe could result in loss of protected health information. HIPAA requires documented controls for system access and audit trails for administrative actions. Implementing multi-admin approval and detailed logging isn't just good security - it's a compliance requirement.

Car Dealerships: Under the FTC Safeguards Rule, dealerships must implement access controls and monitor for unauthorized access to customer information systems. Your Intune configuration needs to align with your Safeguards Rule information security program, including safeguards for administrative access to systems containing customer financial data.

Legal and Financial Services: These industries face strict requirements around data protection and system access controls. A compromised Intune environment could result in wholesale loss of privileged client information, triggering notification requirements and potential malpractice claims.

Common Mistakes That Leave You Vulnerable

From working with businesses across Orange County, we see these same Intune security mistakes repeatedly:

Mistake 1: Assuming Microsoft's defaults are secure enough
Out of the box, Microsoft Intune prioritizes ease of use over maximum security. That's appropriate for many businesses, but it means you need to actively harden the configuration. Default settings don't include multi-admin approval or restrictive Conditional Access policies.

Mistake 2: Too many Global Administrators
We routinely see small businesses with 5-10 Global Administrator accounts for a 20-person company. Every Global Admin account is a potential attack vector. Most organizations need 2-3 break-glass Global Admin accounts, with day-to-day work handled through specialized roles.

Mistake 3: No monitoring or alerting
If you can't see what your admins are doing, you can't detect when an attacker impersonates an admin. Logging is useless if nobody reviews the logs or responds to alerts.

Mistake 4: Weak passwords without MFA
"We use strong passwords" is not a security control in 2026. Passwords get phished, leaked, and cracked. MFA prevents unauthorized access even when passwords are compromised.

Mistake 5: No incident response plan for admin account compromise
When (not if) you suspect an admin account is compromised, what do you do? Who do you call? How do you lock down the environment? Most businesses have no documented process, leading to chaos and delayed response when minutes matter.

Getting Professional Help

For many small businesses, the technical depth required to properly secure Microsoft Intune exceeds internal IT capabilities. That's not a criticism - it's reality. You're running a business, not a cybersecurity operation.

Consider professional IT security support if:

  • You're not sure how to configure Conditional Access policies
  • You don't have time to monitor admin activity logs
  • Your team doesn't have expertise in Microsoft Entra ID security features
  • You need compliance with HIPAA, FTC Safeguards, or other regulatory frameworks
  • You want 24/7 monitoring and response capabilities

At Burgi Technologies, we specialize in securing Microsoft 365 environments for Orange County businesses. We can audit your current Intune configuration, implement CISA's recommended hardening measures, and provide ongoing monitoring to detect suspicious admin activity before it becomes a breach.

We respond in 30 seconds, not hours, because when an attacker is actively wiping devices, every second counts.

Frequently Asked Questions

Does this attack only affect large companies?

No. Any organization using Microsoft Intune is potentially vulnerable, regardless of size. Attackers often target small and medium businesses specifically because they typically have weaker security controls than large enterprises.

How can I tell if my business uses Microsoft Intune?

If you have Microsoft 365 Business Premium, Microsoft 365 E3, or higher licenses, you have access to Intune. Check your Microsoft 365 admin center under "Endpoint Manager" or "Devices." If you can access it, you're using (or could be using) Intune.

What if I don't know my current Intune security settings?

Start by accessing the Microsoft Intune admin center (endpoint.microsoft.com). Navigate to "Users" and check how many Global Administrators you have. Then review Conditional Access policies under Microsoft Entra ID. If you're not comfortable reviewing these settings, contact your IT provider or a managed security service provider for an audit.

Is multi-admin approval required by law?

Not currently required by regulation, but it represents a best practice that CISA and Microsoft strongly recommend. For regulated industries like healthcare and finance, implementing multi-admin approval demonstrates you're taking reasonable and appropriate security measures, which is often a compliance requirement.

What should I do if I think my admin account has been compromised?

Immediately revoke all sessions for the compromised account through Microsoft Entra ID, reset the password, enable MFA if not already active, and review recent administrative actions to identify any malicious changes. Consider engaging an incident response team to conduct a full investigation. If you suspect data was accessed or devices were wiped, you may have breach notification obligations depending on your industry.

Don't Wait for an Attack

The Stryker breach is a wake-up call. Endpoint management platforms like Microsoft Intune have become high-value targets because they provide attackers with powerful capabilities once compromised.

You don't need to be a Fortune 500 company to implement the security controls that would have prevented this attack. Multi-factor authentication, least-privilege access, multi-admin approval, and Conditional Access policies are available to businesses of all sizes.

What you can't afford is waiting until you're the next headline.

If you need help securing your Microsoft Intune environment, implementing CISA's recommendations, or building a comprehensive security program for your business, we're here to help. Call (949) 381-1010 or visit our contact page to schedule a security assessment.

Your devices, your data, and your business operations depend on the strength of your administrative controls. Make sure they're up to the challenge.

About Burgi Technologies
Burgi Technologies is an Orange County managed service provider specializing in cybersecurity and IT support for small and medium businesses. We maintain 100% client retention through 30-second average response times and proactive security management. Our expertise includes Microsoft 365 security, endpoint management, HIPAA compliance, FTC Safeguards Rule compliance, and comprehensive managed IT services.

Check our other posts

Cybersecurity professional monitoring Microsoft Teams security threats on laptop
by
Reza

Microsoft Teams Phishing Attack: What Your Business Needs to Know Right Now

March 17, 2026
Security patches and vulnerability management for SMBs
by
Reza

Microsoft's March 2026 Patch Tuesday: What Small Businesses Need to Know

March 12, 2026
Oracle EBS CVE-2025-61882 cybersecurity guide
by
Reza

What You Need to Know About Oracle E-Business Suite CVE-2025-61882

March 11, 2026
From remote IT support in Orange County to full business IT support services, we make technology simple, secure, and cost-effective.
Main Pages
Infrastructure and Cloud
Managed IT Services
Professional IT Services
IT Security
Industries
Areas We Serve
Other Pages
About usBlogRemote SupportTestimonialContact UsSitemapQR
Let's Talk
(949) 381-1010
info@burgitech.com
California
2522 Chambers Rd. Suite 100, Tustin CA 92780
10535 Foothill Blvd. Suite 365 Rancho Cucamonga, CA 91730
Washington
600 1st Ave. Suite 102 Seattle, WA 98104
Arizona
4742 N 24th St Suite 300 Phoenix, AZ 85016
Want to know more? Find our Privacy Policy, Disclaimer and Terms of Services.
©2025 Burgi Technologies
""