On March 11, 2026, Stryker employees across the US, Ireland, Australia, and India watched their laptops go dark. Not crash. Wipe…factory reset, mid-shift, no warning.
The Attack That Shut Down a $25 Billion Company in Three Hours
The attacker used the wipe command in Microsoft Intune to remotely erase data from nearly 80,000 devices between 5:00 and 8:00 a.m. UTC.
Three hours. 79 countries. And no malware was deployed. The weapon was an admin credential. The blast radius was global.
The attacker compromised an Intune administrator account, created a new Global Administrator account, and used it to wipe managed devices at scale.
No exotic exploit. No ransomware negotiation. Just one stolen set of keys to a console that was already trusted, and a platform that did exactly what it was told.
How They Got In
Infostealer malware harvested Stryker’s admin credentials alongside dozens of other Microsoft and MDM credentials. The attackers held them quietly and then moved.
The Blast Radius
Stryker’s Lifenet ECG system went offline across most of Maryland. Paramedics fell back to radio consultations for cardiac emergencies. Lumos Personal devices enrolled through BYOD were wiped, destroying eSIMs, photos, and the 2FA apps employees needed to recover access.
The Uncomfortable Truth
No novel exploit. Just a compromised admin credential and an unsecured management console.
Basically, one account. Total collapse.
The Real Vulnerability. Weak Identity Protection
Most organizations believe they are protected because they have MFA enabled. Stryker likely thought the same thing. The problem is not whether MFA exists…it’s whether it actually holds under attack.
Standard push-based MFA doesn’t stop adversary-in-the-middle phishing.
The attacker doesn’t steal your password. They steal your session token after authentication succeeds. By the time MFA has done its job, the attacker is already in.
One Account. Wide Open
Global Administrator accounts are the master keys of a Microsoft environment. When one is compromised, everything that account can touch is compromised too… instantly, silently, and at scale. At Stryker, there was no second approval required for destructive actions. One account made the request. The platform executed it.
Credentials Are Already for Sale
Now, this is not hypothetical future risk. Infostealer malware is actively harvesting admin credentials across thousands of environments right now…logging them, packaging them, and selling them on the dark web. The attacker who hit Stryker likely had those credentials weeks before the wipe. The breach didn’t start on March 11. It started the moment those credentials were compromised and nobody knew.
The Separate Admin Account Problem
Most organizations run privileged work on everyday accounts. The same account an admin uses to check email, click links, and browse the web is the same account that can wipe 80,000 devices.
That’s not a security strategy…that’s a single point of catastrophic failure sitting in someone’s inbox.
Every phishing email sent to that account is one click away from full administrative access. Every malicious site visited on that machine is a potential credential harvest. The attack surface is not your perimeter but your admin’s daily routine.
Privilege Without Boundaries
When admin accounts carry more permissions than a role actually requires, the blast radius of any compromise expands accordingly. A help desk account that doubles as a Global Admin is not an efficiency gain but truly a liability, and Least Privilege, as well, is not a compliance checkbox. It’s the difference between an attacker accessing one system and an attacker accessing everything.
Your Tools Are the Target
MDM and UEM platforms like Intune are not just operational conveniences but act as pure control planes. Whoever holds admin access to those platforms holds the ability to push software, wipe devices, modify configurations, and establish persistence across the entire endpoint fleet.
Attackers understand this even when defenders treat these tools as routine IT infrastructure.
Stryker’s attacker didn’t breach the perimeter. They inherited the keys to a management console that had no meaningful restrictions on what a single admin could do alone, and they used every one of them.
MFA and Conditional Access. The Controls That Were Missing
Having MFA is not the same as having MFA that works. This distinction cost Stryker everything.
Push notifications, SMS codes, and authenticator app OTPs all share the same fatal flaw…they authenticate the user, but they can’t verify the legitimacy of the session that follows.
Adversary-in-the-middle attacks let the real MFA challenge complete normally, then steal what comes after. The user does everything right. The attacker still gets in.
Take control of admin access before it slips out of your hands.
Phishing-Resistant MFA Is Non-Negotiable for Privileged Accounts
FIDO2 security keys and passkeys work differently. Authentication is cryptographically bound to the specific domain – a proxy site gets nothing because the key recognizes the mismatch and refuses to respond. This is the only category of MFA that actually holds against modern phishing techniques. For any account with Global Admin rights, anything less is insufficient.
Conditional Access and Approval Gates
Conditional access policies create friction exactly where attackers hate it most…flagging logins from unexpected locations, unmanaged devices, or unusual hours before access is granted.
Microsoft Intune’s Multi-Admin Approval feature requires a second administrator to confirm before destructive actions like mass wipes execute.
That feature existed before the Stryker attack but it was not configured.
Just-in-time privilege elevation takes it further…
Admins receive elevated rights for the duration of a task, then those rights expire automatically. No persistent Global Admin sessions. No open doors between tasks.
One configuration. It would have stopped everything.
How WME Strengthens Identity Security
Understanding what went wrong at Stryker is one thing. Having a partner who closes those gaps before an attacker finds them is another.
WME security services approach identity security as an architecture problem rather than merely a checklist. Privileged identities are mapped, audited, and stripped of excess permissions. Stale accounts, third-party access that outlived its purpose, and over-provisioned roles get identified and eliminated, because attackers love what organizations forget they have.
Building the Controls That Actually Hold
WME implements phishing-resistant MFA across privileged accounts, configures conditional access policies customized to how your environment actually operates, and enforces Multi-Admin Approval for destructive actions.
Separate admin accounts are established and locked to admin tasks only…no email, no browsing, no crossover with daily work.
Just-in-time privilege elevation means no account carries persistent Global Admin rights between tasks. When elevated access is needed, it’s granted for that purpose and expires when the task is done.
Continuous Visibility Over Privileged Activity
Controls without monitoring are assumptions. WME maintains continuous visibility over privileged account activity, establishing behavioral baselines so that when something deviates, it gets caught before it becomes a wipe command at 5:00 a.m.
One Weak Admin Account. Total Disruption.
Stryker didn’t lose to a sophisticated attacker. They lost to an unlocked door that nobody knew was open, a single admin credential, harvested quietly, used decisively.
The controls that would have stopped this attack are not experimental. They exist, they’re configurable, and they’re available to your organization today. Phishing-resistant MFA, separated admin accounts, conditional access, approval gates for destructive actions…none of this is cutting edge. It’s just disciplined identity security, applied consistently.
Most organizations won’t find out their privileged accounts are exposed through an audit. They’ll find out the same way Stryker did, when the devices start going dark.
Don’t wait for that morning
The Stryker attack succeeded because legitimate admin behavior and malicious admin behavior looked identical. With the right monitoring in place, they don’t have to.
WME security services help organizations secure privileged identities before compromise forces the conversation. If you are not certain your admin accounts are protected the way they need to be, that uncertainty is worth resolving today.
