Identity compromise over malware: what the Stryker breach means

TL;DR: The Stryker breach shows how a compromised Global Administrator account and a built-in Intune wipe feature let attackers destroy more than 80,000 systems without malware or exploit chains, according to Push Security. The incident underscores that identity compromise, not signature-based detection, is now the decisive control point for destructive operations.

NHIMG editorial — based on content published by Push Security covering the Stryker breach: identity compromise and Intune remote wipe across managed devices

By the numbers:

• On the morning of March 11, employees at Stryker Corporation offices across 79 countries turned on their laptops and found them wiped and unusable.

Questions worth separating out

Q: What fails when a compromised admin identity can use Intune to wipe devices?

A: The failure is not technical weakness in the wipe feature itself.

Q: Why do destructive attacks now focus on cloud identity instead of malware?

A: Cloud identity often gives faster and broader access than endpoint exploitation.

Q: How do organisations know whether admin action controls are working?

A: Look for evidence that destructive operations are gated, attributed, and correlated across identity and device logs.

Practitioner guidance

• Isolate privileged management identities Keep Intune, Entra, and other tenant-wide admin roles separate from everyday accounts, and require phishing-resistant authentication for each privileged identity.
• Add high-friction approval for destructive device actions Require Multi Admin Approval or equivalent dual control for bulk wipe, mass unenroll, and tenant-wide device actions so one compromised account cannot execute them alone.
• Correlate sign-in and device-action telemetry Join Entra sign-in logs, Intune audit events, and device status changes in a single detection workflow so a privileged login followed by a wipe can be investigated as one incident.

What's in the full article

Push Security's full analysis covers the operational detail this post intentionally leaves for the source:

• The attacker timeline across identity compromise, Intune access, and the remote wipe command path.
• The vendor's breakdown of why legacy Handala detections would not have fired in this case.
• The log sources, correlation gaps, and administrative events that security teams should inspect after privileged tenant abuse.
• The broader comparison between this destructive case and identity-led campaigns by other threat actors.

👉 Read Push Security's analysis of the Stryker Intune wipe and identity compromise →

Identity compromise over malware: what the Stryker breach means?

Explore further

View Full Forum →  |  NHI Foundation Course →