When the Security Tool Becomes the Weapon

The Stryker Microsoft Intune Attack as a Case Study

March 11, 2026. Early morning. Devices across Stryker's global network begin going dark. Login screens replaced by a single image — the logo of Handala, a pro-Iran hacktivist group. Approximately 80,000 endpoints wiped across 79 countries. No malware deployed. The wipe command came from Microsoft Intune — the MDM platform Stryker used to manage those devices. (Krebs on Security, BleepingComputer, March 2026)

Every security control in scope saw valid traffic. The admin credential was legitimate — until it wasn't. The Intune console was a sanctioned application. The remote wipe API call was authenticated, rate-compliant, and structurally indistinguishable from a routine IT operation. Four control planes cleared it. None of them were designed to ask what the command was actually doing.

This document maps the attack through the 10 Control Planes framework. Five planes were in scope. The through-line most coverage misses: the wipe wasn't just the attack. The wipe destroyed the forensic surface. EDR telemetry, endpoint artifacts, local logs — gone. Four controls cleared valid traffic. The investigation that followed had almost nothing to work with.

The Attack

How the Stryker Breach Actually Worked

Stryker confirmed the attack on March 11, 2026 affected its Microsoft environment globally. No ransomware. No malware. The company's own regulatory filing described a disruption to its Microsoft environment — language that security practitioners immediately read as a cloud management platform compromise, not a conventional network intrusion. (Stryker SEC filing / TechCrunch, March 2026)

According to sources cited by BleepingComputer and KrebsOnSecurity, the attack sequence ran as follows: the attacker compromised an existing administrator account — likely through phishing or infostealer malware — then created a new Global Administrator account to establish persistent access. From there, the attacker accessed Stryker's Microsoft Intune management console and issued legitimate remote wipe commands across every enrolled device. Handala claims to have wiped over 200,000 systems and extracted 50 terabytes of data before executing the destructive phase. The scale figures have not been independently verified. Stryker's own accounting confirmed tens of thousands of devices. (BleepingComputer / KrebsOnSecurity, March 2026)

The technique required no novel exploit. Intune's remote wipe functionality exists precisely to factory-reset lost or stolen corporate devices. The attacker obtained administrative access and used the tool as designed — at scale, simultaneously, across 79 countries. CISA confirmed awareness of the Intune vector and issued guidance on hardening endpoint management systems in response. (CISA advisory, March 19, 2026)

The MDM Dimension

Why the Blast Radius Extends Beyond the Endpoint

The standard post-incident framing focuses on credential hygiene and MFA. That framing is correct. It is also incomplete.

Microsoft Intune is not a peripheral tool. In enterprise environments it is the central authority for device compliance, software deployment, and remote management. A compromised Intune console is not a compromised application — it is a compromised management plane for the entire device fleet. The attacker didn't need to touch individual endpoints. The console did it for them.

There is a secondary dimension that most coverage does not address. When Intune issues a remote wipe, the device returns to factory settings. Everything on that device — including EDR agents, endpoint telemetry, local logs, and forensic artifacts — is gone. The wipe doesn't just destroy the device. It destroys the evidence of what happened on it. In environments without centralised log aggregation ahead of the wipe event, the forensic surface for the investigation is structurally degraded before anyone knows an investigation is needed.

Stryker had no indication of ransomware or malware per its own statement. That is accurate. It also means the attack left almost no artefact trail of the kind enterprise security tooling is designed to collect. The investigation starts with tens of thousands of blank devices and a management console log that shows authenticated administrative activity.

The Blast Radius Map

Five Planes. Five Blind Spots.

The Stryker attack crossed five control planes. Each plane had a detection tool. Each tool was functioning as designed. None of them were designed to see what a compromised MDM administrator looks like from the inside of a sanctioned management console.

Plane 01

Identity Plane — IAM / RBAC

Middle Ring · Elevated

What this plane governs

Users, service accounts, OAuth grants, delegated access, RBAC scopes. IAM and RBAC answer: who has access, and when was it granted? They were not designed to evaluate whether the behaviour behind a valid credential matches the purpose for which that access was provisioned.

What the attacker does here

The attacker compromised an existing administrator account — likely via phishing or infostealer malware. IAM validated the credential. A new Global Administrator account was then created from inside the authenticated session. Every subsequent action authenticated normally. Two valid identities. One of them the attacker's. IAM had no mechanism to distinguish between them. (BleepingComputer, March 2026)

Decision or action at this layer

The visibility gap

IAM confirmed validity. It had no framework to ask whether the behaviour matched the purpose of the access. An administrator creating a second administrator account then issuing wipe commands at scale — each step individually authenticated, none flagged. Control without behavioural evaluation becomes permission without accountability.

Blast radius reduction

CISA's post-incident guidance specifically called this out: sensitive or high-impact changes in Intune should require dual-admin authorisation before execution. A single compromised identity should not be sufficient to issue mass wipe commands. The workflow still executes — it just requires a second valid human decision before the irreversible action fires. (CISA advisory, March 19, 2026)

What most environments actually have

• Administrator accounts are routinely provisioned with broad permissions and rarely scoped down once created. Non-human identities already outnumber human identities in most enterprise environments. (AWARE Framework, 2025)

• Credential-based breaches cost an average $4.67M and take 246 days to identify and contain. The global average breach cost fell to $4.44M in 2025 — the first decline in five years. (IBM, 2025)

• Infostealer malware is the dominant credential theft vector for cloud admin accounts. Handala created a new Global Admin account post-compromise to extend dwell time. (BleepingComputer, 2026)

Plane 02

Token Plane — Secret Scanning

Middle Ring · Elevated

What this plane governs

Bearer tokens, API keys, session tokens, JWTs. Secret scanning was built to prevent accidental credential exposure in code repositories and CI/CD pipelines. It assumes tokens are accidentally exposed — not inherited by a compromised process operating with valid runtime authority.

What the attacker does here

The attacker operated with the session tokens of the compromised administrator account. Those tokens were never written to a repository. Secret scanning never saw them. The tokens provided access to the Intune management console, Microsoft Graph API, Entra ID administration, and connected Microsoft 365 services — all through credentials that were valid, active, and unrotated at the time of the attack. (BleepingComputer / KrebsOnSecurity, March 2026)

Decision or action at this layer

The visibility gap

The credential was not stolen from a repository. It was inherited by an attacker operating inside an authenticated session. Secret scanning has no visibility into runtime token use. The token was valid. The session was authenticated. The access was authorised. No rule fired.

Blast radius reduction

Permanent global administrator assignments create standing token authority that persists indefinitely. PIM-enforced just-in-time elevation limits the window during which a compromised credential carries maximum privilege. A stolen credential outside an active elevation window carries significantly reduced scope.

What most environments actually have

• Long-lived administrator session tokens are the de facto standard in most M365 environments. Token rotation and just-in-time elevation are documented best practices that most organisations have not implemented for cloud admin accounts.

• 39 million secrets were exposed across GitHub in 2024. 35% of discovered API keys were still active at time of detection. The Stryker attack didn't need a repository — the token was in use in a live session. (GitHub / Nightfall AI, 2024)

• The credential was not stolen from a file. It was present in a legitimate admin session that the attacker was operating inside. Secret scanning has no category for that scenario.

Plane 03

SaaS Plane — CASB

Outer Ring · Highest Blast Radius

What this plane governs

Enterprise SaaS applications — M365, Intune, Entra ID, Teams. CASB governs which platforms users are permitted to access. It evaluates application classification: sanctioned or unsanctioned. It was not built to evaluate what is executing inside an approved application on behalf of a valid identity.

What the attacker does here

The attacker accessed Microsoft Intune — a fully sanctioned, CASB-approved enterprise application. All traffic to the Intune console looked identical to legitimate IT administrator activity. CASB saw an approved application, an authenticated identity, and normal-looking HTTPS traffic. It had no protocol for distinguishing an IT administrator running a single device wipe from an attacker running 80,000 simultaneous wipe commands.

Decision or action at this layer

The visibility gap

Shadow AI here doesn't look unsanctioned. Neither did this attack. The Intune console was approved. The identity was valid. CASB had no framework for evaluating the blast radius of what happens when a sanctioned management tool is operated by a compromised identity at scale.

Blast radius reduction

An IT administrator issuing a remote wipe command against one device is normal. The same administrator issuing wipe commands against 80,000 devices simultaneously is outside every defined behavioural envelope. Rate-based and volume-based anomaly detection at the application layer — tied to the identity issuing the commands, not just the application being accessed — creates an alert surface that application classification alone cannot.

What most environments actually have

• CASB tools classify applications as sanctioned or unsanctioned. They have no protocol for evaluating administrative action volume or blast radius within approved applications. (UpGuard, 2025)

• Microsoft Intune is deployed across tens of thousands of enterprise environments globally. Most organisations do not have anomaly detection configured for Intune administrative actions outside of standard Microsoft Secure Score recommendations.

• CASB approved the application. It never asked what the application was being used to destroy.

Plane 04

API Plane — API Gateway

Middle Ring · Elevated

What this plane governs

Programmatic access between systems via REST, GraphQL, gRPC. API gateways validate authentication, enforce rate limits, and confirm endpoint availability. They were not designed to evaluate the semantic intent of authenticated API calls or the operational consequence of payload execution.

What the attacker does here

The attacker issued remote wipe commands through the legitimate Microsoft Intune API — the same API endpoint that IT administrators use for authorised device management. Every call was authenticated. Every call passed rate-limiting checks. Every call reached a valid endpoint. The gateway evaluated the envelope. The payload was a factory reset instruction directed at enrolled devices. The gateway had no framework for that distinction. (Cybersecurity Dive, March 2026)

Decision or action at this layer

The visibility gap

The gateway asked every question it was built to ask. None of them were about what the payload would do to 80,000 devices. A compromised administrator issuing mass wipe commands through the Intune management API is indistinguishable from a legitimate bulk management operation. The API gateway has no model for that.

Blast radius reduction

A single remote wipe API call is routine. A burst of thousands of identical wipe calls issued within a short execution window is structurally anomalous. Payload structure detection — flagging bulk destructive operations for queued review before execution — creates a confirmation step that does not exist in standard Intune API configurations.

What most environments actually have

• API gateways validate authentication and enforce rate limits. Payload semantic evaluation and blast-radius assessment are not standard gateway functions. (Traceable AI, Salt Security, 2025)

• 95% of API attacks originate from authenticated sessions — valid credentials, no anomaly detected. A compromised administrator account fits this profile exactly. (Salt Security, 2025)

• The Intune remote wipe API is designed for mass operations — it has no native constraint on the number of devices that can be wiped in a single session without additional approval workflows configured by the deploying organisation.

Plane 08

Endpoint Plane — EDR

Inner Ring · Conditional

What this plane governs

User devices and corporate endpoints enrolled in MDM. EDR platforms detect malicious binaries, anomalous process behaviour, and exploitation patterns. Their detection models are trained on malware signatures and human-initiated attack techniques.

What the attacker does here

EDR was running on the endpoints. The wipe payload was not malware. It was a legitimate MDM command issued from the Intune console to the Intune agent installed on each device. The agent received an authenticated instruction from its management server and executed it as designed. EDR had nothing to flag. The device wiped. The EDR agent wiped with it. (SecureWorld / BleepingComputer, March 2026)

Decision or action at this layer

The visibility gap

This is where the attack becomes self-covering. Traditional wiper detection looks for anomalous disk writes and known malware signatures. An attack that weaponises native MDM wipe functionality appears as a legitimate administrative action — until the device is factory-reset and the forensic surface is gone with it.

Blast radius reduction

If endpoint telemetry exists only on the endpoint, a mass wipe destroys the investigation. Centralised log aggregation — with EDR events and authentication logs forwarded to SIEM continuously — ensures the forensic record survives the wipe event.

What most environments actually have

• EDR detects malware signatures and anomalous process behaviour. A trusted MDM agent executing an authenticated wipe command has no malware signature and no anomalous process behaviour. It is a legitimate operation. (OWASP ASI02 — EDR Bypass via Tool Chaining, 2025)

• In most enterprise environments, EDR telemetry is forwarded to SIEM periodically. A mass wipe event that outpaces the forwarding window destroys the forensic record before the investigation begins.

• Employees who enrolled personal devices in Stryker's corporate MDM program lost personal data in this incident — a blast radius extending beyond corporate assets. (BleepingComputer, March 2026)

The Framework

The 10 Control Planes at a Glance

An attacker operating inside a sanctioned management console is not a point-in-time event. It is a process that moves — authenticating across identity planes, inheriting tokens, accessing SaaS tools, issuing API calls, destroying endpoint evidence — across control planes that were never designed to coordinate against it. Each plane has a detection tool. Each tool had a different answer. None of them were designed to see this.

The 10 Control Planes framework maps how this kind of activity crosses enterprise security architecture. The Stryker attack activated four planes simultaneously. The fifth — Endpoint — was active until the wipe removed it from the equation.

The Through-Line

Four control planes were active. Each one did exactly what it was designed to do. IAM validated the identity. The session tokens were legitimate. CASB approved the application. The API gateway cleared every call. Every tool was functioning. None of them were designed for this.

The attack did not require a zero-day. It did not require novel malware. It required a compromised administrator credential, a management console with no dual-approval requirement for destructive operations, and a security architecture that evaluates each plane independently rather than asking what the sum of valid activity actually means.

The secondary dimension is the part that most post-incident analysis will not fully address. The wipe destroyed the forensic surface. EDR telemetry went with the devices. Endpoint artifacts went with the devices. Local logs went with the devices. The investigation begins with a management console audit trail showing authenticated administrative activity and approximately 80,000 blank machines. The destruction was not just the payload. It was also the cleanup.

The credential hygiene argument is correct. MFA, PIM-enforced just-in-time elevation, dual-approval workflows for destructive operations — all of these would have reduced the blast radius or prevented the attack. They are also controls that most enterprise environments have documented as best practices and not yet fully implemented. The entry point was a compromised credential. The visibility gap is structural. The first problem has a well-understood remediation path. The second exists regardless of whether this specific attack vector is ever used again.

Sources & Citations

1. Krebs on Security — 'Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker', March 2026. https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

2. BleepingComputer — 'CISA warns businesses to secure Microsoft Intune systems after Stryker breach', March 19, 2026. https://www.bleepingcomputer.com/news/security/cisa-warns-businesses-to-secure-microsoft-intune-systems-after-stryker-breach/

3. TechCrunch — 'Stryker says it's restoring systems after pro-Iran hackers wiped thousands of employee devices', Zack Whittaker, March 17, 2026. https://techcrunch.com/2026/03/17/stryker-says-its-restoring-systems/

4. TechCrunch — 'CISA urges companies to secure Microsoft Intune systems after hackers mass-wipe Stryker devices', Zack Whittaker, March 19, 2026. https://techcrunch.com/2026/03/19/cisa-urges-companies-to-secure-microsoft-intune/

5. NBC News — 'Iran appears to have conducted a significant cyberattack against a U.S. company', March 2026. https://www.nbcnews.com/world/iran/iran-appears-conducted-significant-cyberattack-us-company-first-war-st-rcna263084

6. Cybersecurity Dive — 'Stryker attack raises concerns about role of device management tool', March 2026. https://www.cybersecuritydive.com/news/stryker-attack-device-management-microsoft-iran/814816/

7. SecureWorld — 'Iran-Linked Hacktivist Group Hits Stryker in Destructive Wiper Attack', March 2026. https://www.secureworld.io/industry-news/iran-linked-hacktivist-group-weaponizes-microsoft-intune-in-destructive-wiper-attack-on-stryker

8. CISA Advisory — Guidance on securing Microsoft Intune endpoint management systems, March 19, 2026. https://www.cisa.gov/

9. Stryker Corporation — SEC 8-K regulatory filing, March 2026. Confirmed attack 'contained to the company's internal Microsoft environment.'

10. Microsoft — Intune administrative hardening guidance published post-incident, March 2026.

11. IBM Cost of a Data Breach Report 2025 — Credential-based breaches: average cost $4.67M, 246 days to identify and contain. Global average breach cost $4.44M — first decline in five years.

12. AWARE Framework / Work AI Institute — Non-human identities outnumber human users in most enterprise environments. Service account over-provisioning. 2025.

13. GitHub / Nightfall AI — 39 million secrets exposed across GitHub in 2024. 35% of discovered API keys still active at time of detection. 2024.

14. Traceable AI / Salt Security — 95% of API attacks originate from authenticated sessions. 57% of organisations experienced API-related breach in prior two years. 2025.

15. Mandiant / IBM — Infostealer malware as primary credential theft vector for cloud administrator accounts. Stolen credentials typically active weeks before detection. 2025.

16. Endpoint & SaaS Planes

17. OWASP Top 10 for Agentic Applications — ASI02: EDR Bypass via Tool Chaining, 2025. https://owasp.org/www-project-top-10-for-large-language-model-applications/

18. UpGuard — CASB tool classification limitations: sanctioned vs. unsanctioned application categorisation does not extend to runtime evaluation of activity within approved applications. 2025.

19. Palo Alto Networks — Handala threat actor profile: linked to Iran's Ministry of Intelligence and Security (MOIS). Opportunistic targeting, supply-chain footholds, proof-of-destruction focus. 2026.

20. Check Point Research — Handala group attribution and operational profile, March 2026.

21. Ganness, R. — 'Shadow AI: The 10 Control Planes', Threat Briefing, 2025.

22. Ganness, R. — 'Shadow AI: The Blast Radius Map', 2025.

23. Ganness, R. — 'The Security Implications of SharePoint in the Agentic AI Era', CVE-2026-20963 Case Study, March 2026.