Cloud endpoint management as a wiper path: what IAM teams missed

TL;DR: Attackers turned Stryker’s Microsoft Intune plane into a non-encrypting wiper, factory-resetting about 200,000 endpoints across 79 offices after an AiTM session-theft chain and privilege escalation, according to SlashID. The breach shows endpoint management platforms can become destructive control planes when privileged identity is not tightly bounded.

NHIMG editorial — based on content published by SlashID: Analysis of the 2026 Stryker Breach and cloud endpoint management abuse

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, and organisations failing to scope AI access properly are 4.5x more likely to experience a security incident.

Questions worth separating out

Q: What breaks when a cloud endpoint-management identity is stolen?

A: A stolen endpoint-management identity can turn legitimate administrative access into destructive fleet action if it carries standing privileges.

Q: Why do privileged device-management sessions create such a large blast radius?

A: Privileged device-management sessions create large blast radius because a single identity often reaches every enrolled endpoint.

Q: What do security teams get wrong about endpoint-management compromise?

A: Security teams often treat endpoint-management compromise as an administrative nuisance instead of a high-impact identity event.

Practitioner guidance

• Map device-management blast radius Inventory every identity that can issue Intune, MDM, or cloud-management commands, then document the exact actions each one can trigger across the fleet.
• Require phishing-resistant authentication for privileged consoles Move high-impact admin and control-plane access to phishing-resistant methods and bind sessions to device or context where possible.
• Add just-in-time elevation for destructive actions Separate read-only administration from write-capable management, then gate fleet-wide actions behind just-in-time privilege and explicit approval.

What's in the full article

SlashID's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step reconstruction of the Stryker attack chain from infostealer logs to Intune control-plane abuse.
• Detailed discussion of SlashID’s MITM and AiTM detection approach for identifying compromised sessions.
• Operational guidance on phishing-resistant authentication and just-in-time privileged access for management planes.
• Behavioral anomaly detection patterns that can flag suspicious device reset or policy activity.

👉 Read SlashID’s analysis of the 2026 Stryker breach and Intune control-plane abuse →

Cloud endpoint management as a wiper path: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →