How attackers used a company's own device management tool to wipe 80,000 computers overnight

The Context

Stryker Corporation makes surgical equipment, hospital beds, and medical implants. It operates in more than 79 countries and employs roughly 56,000 people. None of its patient-facing medical devices were affected by this attack. What was affected was everything behind the scenes: the laptops employees use to place orders, the systems that run manufacturing lines, the mobile devices that sales representatives carry into hospitals.

To manage that global fleet of devices, Stryker used Microsoft Intune, a cloud-based tool that lets IT administrators remotely configure, update, and, when necessary, wipe corporate devices. It is a standard enterprise tool used by thousands of organizations. The remote wipe feature exists for a legitimate reason: if an employee loses a laptop, IT can erase it before someone else reads the files on it.

On March 11, that feature was used against Stryker by people who were not Stryker employees.

The Attack, Phase by Phase

Phase 1: Getting In

In the months before March 11, the attackers ran brute-force attempts against Stryker's virtual private network (VPN), the gateway employees use to connect to company systems remotely. Check Point Research observed these attempts originating from commercial VPN services and Starlink IP addresses, a technique used to obscure the true origin of the traffic.

Eventually, the attackers obtained valid VPN credentials. Once inside the network perimeter, they moved laterally through Stryker's on-premises systems until they reached AD Connect, the synchronization bridge between Stryker's internal servers and Microsoft's cloud.

AD Connect is designed to make life easier for employees: you use the same username and password whether you are in the office or logging into a cloud application. But that convenience cuts both ways. Because AD Connect mirrors on-premises accounts into the cloud, an attacker who controls an on-premises account can use that same access to reach cloud services. The attackers escalated their privileges until they held a Global Administrator account in Microsoft Entra ID, the master key to Stryker's entire Microsoft cloud environment.

Phase 2: Turning the Tool Into a Weapon

With Global Administrator access, the attackers opened the Microsoft Intune admin console. From there, they could see every device enrolled in Stryker's fleet: laptops, desktops, mobile phones, and virtual machines across 79 countries.

Between 5:00 and 8:00 AM on March 11, they issued remote wipe commands to all of them.

No malware was deployed. No software vulnerability was exploited. The attackers used a feature that Stryker's own IT team used every week. The only difference was that they issued it to every device at once, with no one to stop them.

The wipe extended to personal devices enrolled in Stryker's bring-your-own-device (BYOD) program. Employees lost personal photos, banking applications, and the authenticator apps they used to verify their own identities. The attack did not distinguish between a company-issued laptop and a personal phone that happened to be enrolled for work email.

Phase 3: The Aftermath

Employees arriving for the morning shift found blank screens displaying the Handala logo. Stryker took systems offline and confirmed the attack publicly on March 11. Manufacturing, ordering, and shipping systems remained offline for weeks.

On March 15, Stryker stated the attack was contained. On March 19, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging organizations to secure their Intune environments and recommended requiring a second administrator's approval before any high-impact action, such as a mass device wipe, could be executed.

By April 15, Stryker confirmed full operational recovery. The company also confirmed in a Securities and Exchange Commission (SEC) filing that the attack had a material impact on its first-quarter 2026 earnings. Investigators later confirmed that approximately 50 gigabytes of data had been stolen in addition to the wipe.

What Made This Possible

1. A single account could destroy everything. One Global Administrator account, with no second approver required, could issue a wipe command to every device in the organization. There was no circuit breaker.

2. The on-premises and cloud environments were treated as one trust zone. AD Connect synchronized credentials between Stryker's internal servers and Microsoft's cloud. Compromising an on-premises account was enough to reach the highest privilege level in the cloud. The boundary between "inside the building" and "in the cloud" did not exist in practice.

3. The remote wipe feature had no scope limit. Intune's wipe command could be applied to all enrolled devices simultaneously. There was no built-in limit on how many devices a single command could affect, and no alert triggered when the number reached an unusual threshold.

The feature that protects a lost laptop became the weapon that destroyed a global company's operations, because no one had asked: what happens if someone uses this feature on purpose, at scale?

What Should Have Stopped This

Several defenses existed and were not in place:

Multi-admin approval for destructive actions. Microsoft Intune supports a setting that requires a second administrator to approve high-impact operations before they execute. If this had been enabled, the attackers would have needed to compromise two separate administrator accounts simultaneously to issue the wipe.

Privileged Identity Management (PIM). Microsoft Entra ID includes a feature called Privileged Identity Management that requires administrators to explicitly activate elevated roles for a limited time window, with justification and approval. A standing Global Administrator account that is always active is a permanent target. PIM would have required the attackers to trigger an activation request that could be reviewed or denied.

Phishing-resistant multi-factor authentication (MFA). The initial VPN compromise relied on stolen credentials. Hardware-based MFA, such as a physical security key, cannot be replicated by an attacker who only has a username and password. Standard authenticator-app MFA can be bypassed through real-time phishing; hardware keys cannot.

Conditional access policies. Entra ID can be configured to block sign-ins from unexpected locations, unfamiliar devices, or unusual times of day. A login from a new device at 4:00 AM issuing commands to thousands of endpoints is an anomaly that a well-tuned policy could have flagged or blocked.

The Takeaway

This attack did not require a zero-day exploit or a novel piece of malware. It required one compromised password, one missing approval step, and one feature with no scope limit.

The lesson is not that device management tools are dangerous. The lesson is that any tool capable of causing destruction at scale needs a human checkpoint before it can act at scale. The same principle applies to cloud storage deletion, email purging, and database commands. If one account can do it to everything at once, that account is a single point of catastrophic failure.

Pattern to remember: When attackers hold administrator credentials, they do not need malware; they use your own tools, and the question is whether those tools require a second human to confirm before causing irreversible harm.

What changed: CISA's advisory and this incident have pushed Microsoft and enterprise security teams to treat multi-admin approval for destructive Intune actions as a baseline requirement, not an optional hardening step.

The Technical Mechanism

This attack exploited no software vulnerability. The relevant weakness is architectural: the trust relationship between on-premises Active Directory and Microsoft Entra ID, combined with the absence of approval controls on high-impact Intune operations.

Attack path, step by step:

1. Attackers conducted credential stuffing and brute-force attacks against Stryker's VPN endpoints over a period of months, using commercial VPN exit nodes and Starlink IP addresses to distribute the traffic and avoid IP-based blocking.

2. Valid VPN credentials were obtained, granting access to the on-premises network segment.

3. Attackers moved laterally within the on-premises environment to reach the AD Connect synchronization service. AD Connect operates with high-privilege service accounts in both the on-premises Active Directory and Entra ID. Compromising or abusing these accounts, or the accounts they synchronize, allowed the attackers to project their access into the cloud tenant.

4. Attackers escalated to the Global Administrator role in Entra ID. This role grants unrestricted access to all Microsoft 365 services, including Intune.

5. From the Intune admin console (endpoint.microsoft.com), attackers issued wipeDevice API calls targeting all enrolled devices. The Intune Graph API endpoint for this action is POST /deviceManagement/managedDevices/{managedDeviceId}/wipe. At scale, this can be scripted against the full device inventory returned by GET /deviceManagement/managedDevices.

6. Devices received the wipe command and executed a factory reset. Windows devices performed a full wipe via the Windows Device Management protocol. iOS and Android devices received an MDM wipe command through their respective management channels.

No CVE applies to this incident. The attack used legitimate, documented API functionality with valid credentials. The weakness is classified under CWE-306 (Missing Authentication for Critical Function) at the approval layer, and CWE-269 (Improper Privilege Management) for the standing Global Administrator configuration.

CVE and Advisories

No CVE applies to this attack. The attackers used documented Microsoft Intune and Entra ID functionality with legitimately obtained credentials. No software vulnerability was exploited.

The relevant advisory is the CISA guidance issued March 19, 2026, which urged organizations to enable multi-admin approval for high-impact Intune actions and to audit Global Administrator role assignments.

MITRE ATT&CK Mapping

Indicators of Compromise

Public reporting has not released specific indicators of compromise (IOCs) such as IP addresses or file hashes, because no malware was deployed and the attack used legitimate Microsoft infrastructure. Detection would have required behavioral signals rather than signature-based indicators.

Relevant behavioral signals that security teams should monitor:

• Bulk wipeDevice API calls in Entra ID audit logs (AuditLogs table in Microsoft Sentinel, DeviceManagementApps category)
• Global Administrator role activation outside business hours or from unfamiliar locations
• AD Connect service account activity inconsistent with normal synchronization patterns
• VPN authentication attempts from commercial VPN exit nodes or Starlink IP ranges at high volume
• Intune device inventory queries returning full device lists followed immediately by management actions

Attribution

Handala claimed responsibility for the attack publicly. Palo Alto Networks Unit 42, Check Point Research, and CrowdStrike have assessed Handala as a front group operated by Void Manticore, a destructive operations unit within Iran's Ministry of Intelligence and Security (MOIS). Handala framed the attack as retaliation for U.S. and Israeli military strikes on Iran. Following the attack, the FBI seized Handala's primary web infrastructure.

Primary Sources