Stryker’s Intune wiper attack exposes identity control-plane gaps

At a glance

What this is: This is a breach analysis of how attackers used Microsoft Intune and Entra access to execute a mass destructive wipe across Stryker’s environment.

Why it matters: It matters because IAM, PAM, and NHI teams have to treat trusted cloud administration paths as potential blast-radius multipliers when privileged identity is compromised.

By the numbers:

• At least 50 terabytes of corporate data were deleted from internal storage.

👉 Read SlashID's full analysis of the Stryker Intune wiper attack

Context

Stryker’s March 2026 incident is a Microsoft identity and device-management breach that became a destructive wipe event. Attackers did not need custom malware to cause damage because they reached a trusted administrative path and used native management commands against enrolled endpoints.

For IAM and NHI programmes, the important issue is not only initial access. The real failure is what happened after a valid identity reached Intune and Graph, where standing privilege, weak session assurance, and unchecked admin authority turned normal tooling into an enterprise-wide destruction mechanism.

Key questions

Q: What breaks when a compromised Microsoft admin account can trigger Intune wipes?

A: A single identity can become a fleet-wide destruction tool when remote wipe and factory reset remain available to one session. The failure is not just credential theft. It is the absence of a separate approval boundary for destructive cloud management, which lets legitimate admin commands erase devices at scale.

Q: Why do Microsoft 365 and Intune attacks bypass many endpoint controls?

A: They use the management plane itself rather than malware on the endpoint. If attackers hold valid Microsoft identity material, Intune and Graph calls can look like normal administration while still producing destructive outcomes. That is why identity assurance and privileged action monitoring matter as much as endpoint detection.

Q: What do security teams get wrong about Intune and cloud administration risk?

A: They often treat remote management as an operational convenience instead of a privileged control surface. In practice, Intune, Entra, and Graph can all carry destructive authority, so access reviews must cover who can issue admin commands, not just who can log in.

Q: Who is accountable when a valid admin identity is used to wipe devices at scale?

A: Accountability sits with the organisation that allowed destructive authority to reside in a single compromised identity path. The governance question is whether privilege boundaries, approval workflows, and session controls were strong enough to stop legitimate tools from becoming a sabotage mechanism.

Technical breakdown

Initial access into Microsoft identity and session material

The article points to two plausible entry paths: adversary-in-the-middle phishing and VPN compromise followed by lateral movement. In both cases, the attacker’s real objective is to obtain authenticated Microsoft identity material, not just a password. That matters because session tokens, cookies, and post-MFA artefacts can allow access to Entra and Microsoft 365 without triggering another prompt. Once that identity material is reused, the attacker can blend into ordinary sign-in traffic and begin enumerating roles, groups, and device-management surfaces.

Practical implication: protect session material as aggressively as passwords and revoke it when sign-in behaviour changes.

Privilege escalation through Entra, Graph, and Intune permissions

The destructive step depends on administrative privilege, either through an already-compromised admin account or by discovering an overprivileged identity, app, or service principal. In Microsoft environments, Graph permissions such as device-management, directory write, role management, and app-role assignment scopes can open a path from ordinary access to device-control authority. This is why cloud administration is not just a user-rights problem. It is an identity-to-control-plane problem where API permissions can be as dangerous as console roles.

Practical implication: review high-risk Graph and Intune permissions as privileged access, not routine application access.

Living-off-the-land remote wipe as a cloud control-plane action

Microsoft Intune’s remote wipe and factory reset commands are standard administrative functions, which is why traditional endpoint tools may not treat them as malicious. The attacker does not need to drop malware when the management plane itself can instruct the endpoint client to erase the device. The result is a living-off-the-land wiper, where legitimate API calls to trusted Microsoft services create destructive effects across the fleet. The breach shows that the security boundary has shifted from endpoint binaries to cloud admin authority.

Practical implication: instrument destructive admin actions separately from normal management traffic and require additional approval for bulk wipe operations.

Threat narrative

Attacker objective: The objective was systemic disruption through mass device destruction and data deletion rather than traditional financial extortion.

1. Entry occurred through either adversary-in-the-middle phishing that captured a post-MFA Microsoft session or through VPN compromise that provided valid corporate access.
2. Credential access and abuse followed when attackers reused Microsoft identity material to move into Entra, Microsoft 365, and related administrative surfaces as a legitimate user.
3. Escalation happened when the attackers reached privileged roles or overprivileged Graph and Intune permissions that allowed device-management control.
4. Impact came from native Intune remote wipe and factory reset commands that bricked endpoints and erased corporate data at enterprise scale.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Standing cloud administration is the failure mode this breach exposes. The attack worked because a trusted Microsoft management path retained destructive authority after identity compromise. That is not merely a control gap, it is a governance assumption that privileged cloud actions remain safe because they are native and authenticated. The breach shows the opposite: once Intune, Entra, and Graph are reachable through a compromised identity, legitimacy becomes the delivery mechanism for destruction. Practitioners should treat this as a control-plane exposure problem, not an endpoint-only incident.

Remote wipe without stronger approval boundaries is a catastrophic privilege shape. The article shows that one administrative identity could trigger large-scale device reset through standard Intune functions. That means the organisation had allowed a single session to inherit enterprise-wide destructive power, which is exactly the kind of standing privilege assumption that PAM is meant to constrain. The specific failure mode is single-actor destructive authority across the device estate, and it is far more consequential than ordinary overpermissioned access. Practitioners need to recognise that administrative convenience can become operational sabotage.

Microsoft Graph permissions can function as NHI blast-radius accelerators. When app scopes and administrative roles are broad enough to manage devices, users, and policies, a compromised identity can move from observability into fleet control. This is a lifecycle and governance issue, not just a technical misconfiguration. Access review that does not differentiate between routine SaaS permissions and cloud-control-plane authority will miss the paths that matter most. Practitioners should treat high-risk Graph scopes as privileged entitlements requiring continuous scrutiny.

BYOD and managed endpoints inherit the trustworthiness of the identity plane. The article’s BYOD destruction detail is a reminder that management trust extends beyond corporate hardware. Once a device is enrolled, a destructive command can reach personal devices as well as enterprise assets. That collapses the usual boundary between user-owned and corporate-owned endpoints and raises the governance bar for enrolment, attestation, and emergency action controls. Practitioners should assume enrolment equals operational reach, not just inventory visibility.

LotL wipers are now an identity governance problem, not a malware problem. This breach did not depend on custom payloads or novel binaries. It depended on valid credentials, administrative trust, and a management plane that executed exactly what it was told. That shifts the centre of gravity from detection of code to detection of authority misuse. Practitioners should therefore look at who can issue destructive cloud commands, under what conditions, and with what second-line approvals before the command ever reaches the endpoint.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 17% of organisations with least-privileged AI access reported an incident, compared with 76% of over-privileged systems.
• That gap is why the NHI Lifecycle Management Guide should be paired with privileged-action review before destructive cloud commands are allowed.

What this signals

Stryker-style attacks show that management planes now define the real blast radius of identity compromise. When a valid admin session can issue wipe commands, the question is no longer whether authentication succeeded, but whether the organisation can constrain what authenticated authority is allowed to do. Teams should model Intune, Entra, and Graph as privileged control surfaces and not just as IT administration tools.

Identity blast radius: the practical measure of how far one compromised identity can reach through trusted admin tooling. In a Microsoft environment, that reach can extend from session theft to device deletion, so governance must focus on destructive authority, not only account takeover. Where that authority exists, approval gates and token controls become more important than endpoint signatures.

The broader signal is that cloud administration, BYOD enrolment, and endpoint management are converging into one governance problem. Security leaders should prepare for destructive actions being executed through legitimate interfaces, which means their programme has to combine privileged access review, management-plane telemetry, and emergency response design. The 52 NHI breaches Report is useful for pattern recognition here, because the same trust assumptions appear across many NHI incidents.

For practitioners

• Restrict destructive Intune commands to tightly governed admin paths Separate remote wipe, retire, and factory reset privileges from routine device administration, and require second-person approval before bulk actions can run across large device groups.
• Review Microsoft Graph scopes as privileged access Inventory every app registration, service principal, and admin role that can write to device management, directory roles, or policy settings, then remove anything that does not need cloud-control-plane authority.
• Harden session handling for Microsoft identity Assume post-MFA session tokens can be stolen and reused, and add conditional access checks, token revocation workflows, and admin session monitoring for unusual login paths.
• Treat enrolled BYOD as removable control-plane targets Document which personal devices can receive management actions, verify user consent boundaries, and ensure emergency wipe processes cannot erase personal data without explicit governance approval.

Key takeaways

• This breach showed that a compromised Microsoft identity can become an enterprise destruction channel when Intune and Graph retain unchecked authority.
• The scale of impact was severe, with public reporting citing nearly 80,000 wiped devices and at least 50 terabytes of deleted corporate data.
• The control that would have mattered most was not another endpoint alert, but a stronger approval boundary around destructive cloud administration.

Key terms

• Cloud Control Plane: The cloud control plane is the administrative layer that creates, changes, and deletes resources, users, policies, and devices. In this breach, Intune and Graph acted as the control plane, meaning compromise of identity translated directly into fleet-level power instead of just account access.
• Living-off-the-land Wiper: A living-off-the-land wiper is an attack that uses legitimate administrative tools and trusted services to destroy systems or data. The code path is native, not maliciously dropped, so the security issue becomes who is allowed to issue commands and under what approval boundaries.
• Post-MFA Session Token: A post-MFA session token is the authenticated artefact issued after a user successfully completes multi-factor authentication. If attackers steal or replay it, they can impersonate the session without repeating the MFA challenge, which is why session protection matters as much as password strength.
• Destructive Privilege: Destructive privilege is access that can erase devices, delete data, or materially disrupt operations rather than simply read or configure assets. It should be governed as a Tier-0 control because a single compromised account with that authority can create enterprise-wide outage or sabotage.

Deepen your knowledge

Microsoft identity compromise, Intune governance, and destructive cloud administration are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for Microsoft-managed endpoints and privileged admin paths, it is worth exploring.

This post draws on content published by SlashID covering the Stryker breach: the March 2026 Intune-driven wiper attack and its identity governance implications. Read the original.