On the morning of March 11, 2026, employees at Stryker offices across 79 countries switched on their computers and found them blank. No ransom note. No countdown timer.
Just a logo of a barefoot boy holding a slingshot, and everything gone.
Manufacturing halted. Electronic ordering went dark. Eighty thousand devices including laptops, phones, tablets, factory-reset in a three-hour window while most of the company slept.
And when the forensics teams arrived to figure out how, the answer was almost insultingly simple…
Someone had used Microsoft Intune. The same platform your IT team likely runs today.
This is not a story about sophisticated zero-days or nation-state malware nobody’s heard of.
The tools that destroyed Stryker’s Microsoft environment were legitimate. Licensed. Documented in Microsoft’s own admin console.
What failed was not the technology. What failed was the governance around who could touch it, from what context, and with zero checks on what they could do with it.
If your organization runs Microsoft 365, Entra ID, or Intune, and most do, the architecture that was weaponized at Stryker almost certainly exists in your environment right now.
The question is whether you have closed the gaps that made it catastrophic, or whether you are still running the defaults.
What actually happened and why it worked
Attackers didn’t walk in through an unpatched vulnerability. They walked in through the front door, with stolen credentials, and found that the front door opened directly onto the control room.
The initial access almost certainly came through credential theft, phishing campaigns or infostealer malware harvesting login details from regular employee accounts.
Threat intelligence researchers later identified 278 sets of compromised Stryker credentials gathered between October 2025 and March 2026, with activity concentrated in the weeks immediately before the attack.
The first breach Stryker itself disclosed was back in December 2024, more than three months before the wipe. The attackers weren’t rushing but actually positioning.
Once inside Stryker’s Microsoft Entra ID environment, they compromised or created a Global Administrator account.
No privilege escalation through a vulnerability chain. No exotic lateral movement. They simply found, or forged, an account that already had unrestricted access to everything, including Microsoft Intune’s Remote Wipe function.
- 80K devices wiped
- 3 hrs total attack window
- 79 countries affected
- $25B Stryker annual revenue
Between 5:00 and 8:00 a.m. UTC, the wipe commands went out. Intune executed them without hesitation because from the platform’s perspective, everything looked legitimate.
An authenticated administrator had issued a valid command. Endpoint detection tools found nothing to flag. There was no malware to quarantine. The platform did exactly what it was designed to do. Just for the wrong person.
Employees who had enrolled personal phones through Stryker’s BYOD program lost everything…
That included, beyond just corporate apps, photos, eSIMs, and the authenticator apps they used for personal banking. Those devices were enrolled in the same device management profile as corporate hardware. Same admin account. Same wipe command. Same result.
This was not a failure of Microsoft Intune. Intune behaved exactly as designed. The failure was the absence of controls around who could reach it, from what context, and with what level of authorization.
The three gaps that turned access into catastrophe
Every post-incident analysis from CISA, Palo Alto Unit 42, and Microsoft’s DART team points to the same structural problems. None of them are exotic. All of them are common.
No phishing-resistant MFA on privileged accounts
Standard multi-factor authentication i.e. push notifications, TOTP codes, SMS, etc, is routinely bypassed through adversary-in-the-middle proxies and push fatigue attacks.
The attackers almost certainly didn’t need to crack a password at all; they needed to intercept a session token or max trigger a push the admin blindly approved.
Microsoft’s own research found that over 99% of compromised accounts in recent incidents lacked phishing-resistant authentication.
Most organizations can confirm MFA is “enabled.” Almost none can confirm it’s enforced specifically on every privileged account, on every admin portal, with no Conditional Access exceptions quietly creating a gap.
Standing admin privileges. No time limit, no approval, no trip wire
Stryker’s Global Administrator accounts held permanent, always-on access. When an attacker obtained those credentials, they didn’t trigger an approval workflow. They didn’t receive a time-bound activation window. They simply had access, to everything, with no checks on what they could do with it.
One account. One session. Global reach.
If Privileged Identity Management had been enforcing just-in-time access, a request to activate Global Admin at 4:50 a.m. would have been a signal. Instead, it was silence.
No second approval required for destructive operations
A single authenticated administrator could issue a Remote Wipe command in Intune, to every enrolled device in the tenant, without a second person’s approval.
Microsoft ships this feature. CISA has now specifically cited enabling Multi Admin Approval for wipe operations as a critical control. At the time of the Stryker attack, it was available, documented, and not deployed.
The Stryker team thought they were secure too. They found out they weren’t. You still have time to check before that sentence applies to you.
Now ask yourself about your own environment
This is where the blog stops being about Stryker and starts being about you because the gaps that enabled this attack are, according to WME security services experts, the defaults in most Intune environments.
- Who in your organization holds Global Administrator or Intune Administrator rights right now?
- Can you produce that list, with a named person and active job function attached to every account, within the hour?
- Are those privileged accounts protected with FIDO2 keys or passkeys, or just push-based MFA that an adversary-in-the-middle proxy can relay in real time?
- Does executing a Remote Wipe in your Intune tenant require a second administrator’s approval before it runs, or can one compromised account issue that command fleet-wide, right now?
- Do your admin accounts operate with standing, always-on access, or do they require just-in-time activation through Privileged Identity Management, with a time limit and an audit trail?
- Are changes to sensitive Entra ID groups and privileged role assignments monitored in real time, or would a new Global Admin account created at 3 a.m. go unnoticed until morning?
- Are your BYOD-enrolled personal devices subject to the same full-device wipe permissions as your corporate hardware? Do your employees know that?
If any of those answers is “I think so” rather than “yes, here’s proof” , you are carrying the same structural exposure that made Stryker’s attack possible.
Why the risk stays invisible until it's already happened
There’s a reason this kind of exposure persists. It doesn’t look like anything. There are no alerts. No warnings from your SIEM. No anomalies on the dashboard. Your Microsoft environment is operating normally, exactly as configured…it just happens to be configured in a way that gives an attacker everything they need if they can get past one credential.
Attackers who use legitimate administrative tools blend into normal activity.
From the platform’s perspective, a threat actor with a valid admin session is indistinguishable from your IT administrator. Every action they take logs as authorized. Every command executes without hesitation. Your EDR has nothing to flag because there’s no malicious payload, just a human being using your own tools against you.
The deeper problem is timing. Most organizations audit their security posture once a year. Attackers operate continuously. Configuration drift, a Conditional Access exception added to unblock one user, a new Global Admin account created for a project and never removed, an Intune RBAC role that accumulated permissions over time, creates gaps between audit cycles that nobody catches until someone walks through them.
By the time Stryker disclosed their December 2024 breach, the attackers had already been inside for months.
What CISA said and what most organizations still haven't done
In the immediate aftermath of the Stryker attack, CISA issued a formal advisory, an unusual step that signals this is not being treated as an isolated incident.
The agency confirmed it is aware of threat actors actively targeting endpoint management systems using exactly this vector, and named three specific controls as the remediation priority.
First: enforce phishing-resistant MFA for all privileged accounts through Entra ID Conditional Access, not standard push-based MFA, but FIDO2 keys or passkeys specifically, for every admin portal, with no exceptions.
Second: enable Privileged Identity Management across Intune, Entra ID, and connected Microsoft services so that just-in-time access is the standard, not an optional feature.
Third: configure Multi Admin Approval in Intune so that high-impact operations i.e. device wipes, script deployments, RBAC changes, etc, cannot be executed by a single compromised account.
These controls are not advanced. They ship with the platform. The guidance has been published by Microsoft for years. The question CISA is implicitly asking every organization is: why aren’t they deployed?
When a federal security agency issues targeted guidance in the immediate aftermath of a specific corporate attack, the message is clear: this is not an edge case. This is a pattern, and other organizations are likely running the same exposure.
How WME validates and closes this, before it becomes your incident
Knowing the gap exists and knowing where your specific gap is are two different problems. Most organizations have read the CISA advisory. Fewer have mapped it against their actual tenant configuration and come back with a clean answer.
WME security services run targeted Microsoft environment assessments built specifically around the control layers the Stryker attack exposed.
That means a live look at your actual Entra ID configuration…not a questionnaire, not a theoretical checklist.
We examine privileged identity governance
Who holds Global Admin and Intune Admin rights, whether those assignments are permanent or PIM-controlled, and whether the role assignments map to real people with active justifications.
We validate Conditional Access policy coverage to confirm phishing-resistant MFA is actually enforced for every admin portal, with no exceptions that silently create a gap.
We verify Intune configuration hardening i.e. Multi Admin Approval status, RBAC scope, BYOD wipe permissions, etc, against the specific attack chain CISA and Microsoft identified.
Where exposure exists, we remediate it. Where exposure doesn’t exist, we give you the evidence to say so with confidence.
Find out where you stand before someone else does
The exposure that enabled the Stryker attack exists in most Microsoft environments today. WME’s targeted assessment identifies exactly which controls are missing in yours and closes them before they’re tested under pressure.
