The Stryker cyberattack, which occurred on March 11, 2026, exemplifies the critical threat posed by the weaponization of legitimate IT tools, specifically Microsoft Intune. This incident saw an Iran-linked threat group, Handala, gain administrative control over Stryker's Microsoft environment and leverage Intune's inherent capabilities to initiate a destructive remote wipe across tens of thousands of corporate and personal devices globally, causing widespread operational disruption without deploying traditional malware or exploiting a zero-day vulnerability.
Attack Overview: The Stryker Incident
On March 11, 2026, employees at Stryker, a major medical technology company, discovered their devices had been wiped, replaced with a logo of a barefoot boy holding a slingshot. This attack targeted the company's Microsoft-based identity and device management infrastructure, resulting in a global network disruption affecting critical internal systems for manufacturing, logistics, and order processing. The attack chain for the Stryker incident, as reported by various security researchers, primarily involved initial access through sophisticated means, followed by privilege escalation and the subsequent weaponization of Microsoft Intune.
Initial Access and Privilege Escalation
While the exact initial access vector has not been officially confirmed by Stryker, industry consensus points to methods such as Adversary-in-the-Middle (AiTM) phishing, VPN brute-force with lateral movement, or supply chain compromise through a third-party vendor. Regardless of the initial breach, the attackers successfully compromised an administrative account within Stryker's Microsoft Entra ID (formerly Azure AD) and created a new Global Administrator account, granting them persistent, full control over the Microsoft 365 environment, including Intune. This administrative identity compromise is a recurring theme in modern attacks, where adversaries target privileged accounts to leverage legitimate tools for malicious ends.
Intune as the Destructive Control Plane
The defining characteristic of the Stryker attack was the deliberate misuse of Microsoft Intune's remote wipe functionality. With elevated privileges, the attackers issued factory reset commands to approximately 80,000 to over 200,000 enrolled devices, including corporate laptops, workstations, and personal mobile devices enrolled in the company's BYOD program. This action caused unprecedented destruction, rendering devices inoperable and deleting all data, including personal files on BYOD devices. The critical point is that Intune executed these commands as legitimate administrative actions, making detection challenging for traditional endpoint security solutions that primarily focus on malware signatures.
# Example of a PowerShell command for device wipe, which could be orchestrated via Intune
# This is a conceptual representation of the underlying action Intune performs.
# Actual attacker interaction might be through the Intune console or Graph API.
# Get all Intune managed devices
$devices = Get-MsolDevice | Where-Object { $_.DeviceManagementStatus -eq "Managed" }
# Iterate and initiate remote wipe (example for illustrative purposes, typically done via policy or group action)
foreach ($device in $devices) {
# This represents the action taken by a compromised Intune admin
# In a real scenario, this would be a high-impact policy deployment or a direct API call.
# The actual Intune API call for a wipe would be more complex and involve Graph API.
# Example (conceptual): Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$($device.ObjectId)')/wipe"
Write-Host "Initiating wipe for device: $($device.DisplayName) ($($device.DeviceId))"
# Placeholder for actual wipe command
}
Weaponizing Microsoft Intune Features
Microsoft Intune, a core component of Microsoft Endpoint Manager, offers extensive capabilities for endpoint management, policy enforcement, application deployment, and security. However, these very features, when controlled by a malicious actor with sufficient privileges, can be repurposed for destructive or persistent operations.
Remote Wipe and Retire
As demonstrated in the Stryker attack, the remote wipe feature is a potent tool for disruption. It allows administrators to factory reset a device, removing all corporate data, user data, and even resetting the operating system in some cases. The 'Retire' function, while less destructive, removes corporate data and unenrolls the device from Intune, severing its management link. Both functions are legitimate and critical for device lifecycle management (e.g., lost/stolen devices, employee offboarding), but can be devastating in the wrong hands.
Script Deployment and Policy Manipulation
Intune allows administrators to deploy PowerShell scripts to managed Windows devices, often with SYSTEM privileges, via features like Proactive Remediations (now Remediations) or compliance scripts. A compromised Intune administrator can leverage this to deploy arbitrary malicious scripts for various objectives:
- Lateral Movement: Executing commands on remote systems.
- Persistence: Creating new administrative accounts, modifying system configurations, or deploying backdoors.
- Data Exfiltration: Running scripts to collect and send sensitive data to attacker-controlled infrastructure.
- Privilege Escalation: Modifying existing scripts or policies to elevate privileges on targeted devices or within Entra ID.
The DeviceManagementConfiguration.ReadWrite.All Microsoft Graph API permission is particularly sensitive, as it grants the trustee control over Intune-managed devices and associated identities. Mandiant's red team demonstrated how this permission could be abused for lateral movement to Privileged Access Workstations (PAWs) by modifying device management scripts.
Endpoint Privilege Management (EPM)
Microsoft Intune's Endpoint Privilege Management (EPM) allows standard users to perform tasks requiring elevated privileges, such as installing applications or updating drivers, without granting them full local administrator rights. While a security enhancement, EPM policies themselves can become a target. If an attacker gains control over EPM configuration, they could create or modify elevation rules to allow unapproved applications to run with administrative privileges, bypassing least privilege principles. EPM supports different elevation behaviors:
- Automatic: Elevation occurs invisibly.
- User Confirmed: Requires user confirmation, optionally with authentication or business justification.
- Support Approved: Requires administrator approval for elevation requests.
A malicious actor could theoretically modify 'Automatic' elevation rules or approve 'Support Approved' requests for their own tools if they control the Intune environment.
CVEs and Intune Components
While the Stryker attack did not explicitly rely on a known CVE, understanding vulnerabilities in Intune components is crucial. For instance, CVE-2021-31980 is a Remote Code Execution (RCE) vulnerability affecting the Microsoft Intune Management Extension. This flaw allows an unauthenticated attacker to execute arbitrary code on affected systems via network-based attacks without user interaction. Such vulnerabilities could provide initial access or a means to escalate privileges, laying the groundwork for broader Intune weaponization.
| CVE ID | Component | Vulnerability Type | Impact | Description |
|---|---|---|---|---|
| CVE-2021-31980 | Microsoft Intune Management Extension | Remote Code Execution (RCE) | Unauthenticated attacker can execute arbitrary code on affected systems. Significant risk to enterprise endpoint management. | RCE vulnerability allowing unauthenticated, network-based code execution on systems running the Intune Management Extension. |
| (Various) | Microsoft Malware Protection Engine (affecting Intune Endpoint Protection) | Remote Code Execution, Memory Corruption | Malware Protection Engine not properly scanning specially crafted files. | A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. |
Mitigation Strategies and Defensive Controls
Preventing the weaponization of legitimate IT tools like Intune requires a multi-layered security approach focusing on identity, access, and robust monitoring. The Stryker incident underscores the need to treat endpoint management platforms as critical control planes.
Privileged Access Management (PAM) and Multi-Factor Authentication (MFA)
- Phishing-Resistant MFA: Enforcing strong, phishing-resistant MFA for all administrative and privileged accounts (especially those with Intune/Entra ID roles) is paramount. This helps prevent initial access even if credentials are compromised.
- Just-in-Time (JIT) Access: Implement JIT privileged access, ensuring that standing administrative permissions do not exist by default. Instead, grant elevated access only when needed and for a limited duration.
- Privileged Identity Management (PIM): Utilize Microsoft Entra ID PIM for managing, controlling, and monitoring access to important resources. This includes approval workflows, review processes, and time-bound assignments for privileged roles.
Granular Role-Based Access Control (RBAC)
- Least Privilege: Adhere strictly to the principle of least privilege for all Intune roles and permissions. Review and limit who has administrative privileges in your endpoint management and identity platforms.
- Scope Tags: Leverage Intune's Scope Tags to limit role assignments to specific sets of devices or users. This restricts the blast radius of a compromised account.
- Review Permissions: Regularly review Entra ID service principals and application registrations for sensitive permissions like
DeviceManagementConfiguration.ReadWrite.All.
Controls for High-Risk Actions
- Multi-Admin Approval: Implement policies requiring a second administrator's approval for high-impact actions within Intune, such as mass device wipes, major policy changes, or script deployments. This significantly raises the bar for attackers.
- Conditional Access Policies (CAPs): Enforce CAPs based on user identity, device health, location, and sign-in risk to control access to Intune and related resources.
Monitoring and Detection
- Audit Logging and Reporting: Ensure comprehensive logging of all administrative actions within Intune and Entra ID. Integrate these logs with a Security Information and Event Management (SIEM) solution (e.g., Azure Sentinel) for centralized monitoring and anomaly detection.
- Behavioral Anomaly Detection: Configure alerts for suspicious activities, such as an unusual number of device wipes, bulk policy modifications, or logins by a Global Admin from unfamiliar locations or unmanaged devices.
- Graph API Activity Logs: Enable Microsoft Graph API activity logs to provide detailed information about HTTP requests made to Microsoft Graph resources, aiding in detection and response.
Endpoint Security Hardening
- Intune Security Baselines: Deploy and maintain Intune security baselines and configuration profiles to enforce strong security settings across all managed devices.
- Patch Management: Regularly apply security updates to all Intune-managed devices and the Intune Management Extension to address known vulnerabilities like CVE-2021-31980.
- Endpoint Detection and Response (EDR): Integrate Intune with Microsoft Defender for Endpoint or other EDR solutions for advanced threat protection, vulnerability management, and automated investigation.