Security teams spend a lot of time thinking about the tools attackers use to break in. Malware. Phishing kits. Exploits. What gets less attention is the tools organizations use to manage their own environments -- and what happens when those tools become the weapon.
On March 11, 2026, medical technology company Stryker Corporation disclosed a cyberattack that disrupted its global Microsoft environment. Order processing stopped. Manufacturing slowed. Shipments were delayed. By some reports, roughly 200,000 devices were wiped and approximately 50 terabytes of data were exfiltrated. An Iran-linked threat group known as Handala later claimed responsibility, framing the attack as retaliation for a strike in southern Iran.
Stryker's public updates in the days that followed said there was no indication of ransomware or malware at the time of disclosure, and that the incident appeared contained. No malware. No traditional exploit. What the attackers reportedly leveraged instead were legitimate administrative features inside Microsoft Intune -- the kind of tools IT teams use every day to manage devices, push configurations and maintain compliance across enterprise environments.
Seven days after the attack, the Cybersecurity and Infrastructure Security Agency issued an alert. The agency said it is "aware of malicious cyber activity targeting endpoint management systems of U.S. organizations" and pointed directly to the Stryker incident as the trigger. CISA is coordinating with the FBI to assess the broader threat and determine what other organizations may be at risk.
Why Intune Is a High-Value Target
Microsoft Intune is cloud-based software that gives administrators centralized control over thousands of devices -- managing configurations, deploying applications, enforcing compliance policies and running scripts across an entire organization from a single console. That reach is what makes it useful to IT teams and attractive to attackers.
If an attacker gains access to Intune with sufficient administrative privileges, they don't need custom malware. They can use the platform itself to wipe devices, push malicious scripts, alter configurations, or move laterally across connected systems -- all while looking like a normal administrator. This approach is sometimes called "living off the land," and it's a serious problem for defenders because the activity can blend into legitimate administrative traffic.
The management plane -- the layer of infrastructure used to control everything else -- becomes the battleground. A compromise there can ripple outward faster than most endpoint security teams expect.
"What's notable here is that the attacker didn't deploy malware or exploit a vulnerability. They just logged into the Intune console and hit wipe. They could've done everything right from an endpoint management and security perspective, but by not paying attention to secure access to the Intune itself, they left the door open," explained Gabe Knuth, principal analyst for EUC, digital workspace, endpoint and email security at Omdia. "Honestly, this is more of an identity management problem that just happened to be used to leverage Intune."
What CISA Is Recommending
CISA's alert directs organizations toward Microsoft's own guidance for securing Intune, with the note that the same principles apply to other endpoint management platforms -- not just Microsoft environments.
Least privilege is the starting point. Administrative roles should be scoped as narrowly as possible. Not everyone who needs Intune access needs the same level of access, and over-provisioned accounts are a common path to widespread compromise when credentials are stolen.
Phishing-resistant multi-factor authentication is another priority. Traditional MFA has weaknesses -- push fatigue attacks, SIM swapping and session hijacking are all real concerns. CISA is pushing organizations toward phishing-resistant options, using tools like Microsoft Entra ID to layer Conditional Access policies, risk-based authentication signals and privileged identity controls.
One of the more specific recommendations is enabling Multi Admin Approval for high-impact actions inside Intune. The idea is straightforward: before a sensitive action -- like wiping devices, deploying scripts, or changing RBAC configurations -- a second administrative account has to approve it. If an attacker compromises one admin account, they can’t act unilaterally on the most destructive capabilities. It adds friction at exactly the right point.
The Broader Pattern
CISA's alert isn't really about Stryker. It uses the incident as a reference point to put other organizations on notice that this class of attack -- using legitimate endpoint management tools against the organization that owns them -- is something defenders need to plan for now.
Organizations invest heavily in perimeter defenses -- firewalls, intrusion detection, endpoint protection platforms. The tools used to administer those defenses tend to get far less scrutiny. Administrative systems are trusted by design, and that trust is exactly what attackers are counting on.
It also matters that this attack reportedly had geopolitical motivation. Handala's claim of responsibility tied the attack to events in Iran. That doesn't mean every organization faces the same threat profile, but it illustrates that cyberattacks tied to international conflict pose a threat beyond government agencies or defense contractors. A medical technology company running a standard Microsoft enterprise environment became the target.
CISA's guidance on endpoint management hardening isn't complex. Least privilege, strong authentication and a second set of eyes on high-impact actions are not new ideas. They're just not being applied consistently to the administrative layer -- and after 200,000 devices were wiped at a Fortune 500 company with no malware involved, that's probably worth reviewing.