TL;DR: The Stryker breach shows how a compromised Global Administrator account and a built-in Intune wipe feature let attackers destroy more than 80,000 systems without malware or exploit chains, according to Push Security. The incident underscores that identity compromise, not signature-based detection, is now the decisive control point for destructive operations.
NHIMG editorial — based on content published by Push Security covering the Stryker breach: identity compromise and Intune remote wipe across managed devices
By the numbers:
- On the morning of March 11, employees at Stryker Corporation offices across 79 countries turned on their laptops and found them wiped and unusable.
Questions worth separating out
Q: What fails when a compromised admin identity can use Intune to wipe devices?
A: The failure is not technical weakness in the wipe feature itself.
Q: Why do destructive attacks now focus on cloud identity instead of malware?
A: Cloud identity often gives faster and broader access than endpoint exploitation.
Q: How do organisations know whether admin action controls are working?
A: Look for evidence that destructive operations are gated, attributed, and correlated across identity and device logs.
Practitioner guidance
- Isolate privileged management identities Keep Intune, Entra, and other tenant-wide admin roles separate from everyday accounts, and require phishing-resistant authentication for each privileged identity.
- Add high-friction approval for destructive device actions Require Multi Admin Approval or equivalent dual control for bulk wipe, mass unenroll, and tenant-wide device actions so one compromised account cannot execute them alone.
- Correlate sign-in and device-action telemetry Join Entra sign-in logs, Intune audit events, and device status changes in a single detection workflow so a privileged login followed by a wipe can be investigated as one incident.
What's in the full article
Push Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The attacker timeline across identity compromise, Intune access, and the remote wipe command path.
- The vendor's breakdown of why legacy Handala detections would not have fired in this case.
- The log sources, correlation gaps, and administrative events that security teams should inspect after privileged tenant abuse.
- The broader comparison between this destructive case and identity-led campaigns by other threat actors.
👉 Read Push Security's analysis of the Stryker Intune wipe and identity compromise →
Identity compromise over malware: what the Stryker breach means?
Explore further
Identity compromise has become the shortest path to destructive impact. The Stryker breach shows that an attacker no longer needs an exploit chain when a privileged cloud identity can invoke a built-in wipe function across the fleet. That is not a tooling issue first, it is a governance issue around who can command the management plane. Practitioners should treat tenant administration as a high-impact attack surface.
A few things that frame the scale:
- The attacker simply logged into Microsoft Intune with compromised Global Administrator credentials, abused a legitimate feature, and wiped over 80,000 systems, servers, and mobile devices, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption.
A question worth separating out:
Q: Who is accountable when a compromised privileged account triggers remote wipe?
A: Accountability sits with the organisation that granted and governed the privilege, not with the platform feature alone. The breach exposes a governance gap in privileged identity management, admin separation, and operational approval. Frameworks such as NIST CSF and zero trust architecture expect high-risk actions to be constrained and continuously verified, which is where ownership must be enforced.
👉 Read our full editorial: Stryker shows identity compromise now beats malware in destructive attacks
Identity compromise has become the shortest path to destructive impact. The Stryker breach shows that an attacker no longer needs an exploit chain when a privileged cloud identity can invoke a built-in wipe function across the fleet. That is not a tooling issue first, it is a governance issue around who can command the management plane. Practitioners should treat tenant administration as a high-impact attack surface.
A few things that frame the scale:
- The attacker simply logged into Microsoft Intune with compromised Global Administrator credentials, abused a legitimate feature, and wiped over 80,000 systems, servers, and mobile devices, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption.
A question worth separating out:
Q: Who is accountable when a compromised privileged account triggers remote wipe?
A: Accountability sits with the organisation that granted and governed the privilege, not with the platform feature alone. The breach exposes a governance gap in privileged identity management, admin separation, and operational approval. Frameworks such as NIST CSF and zero trust architecture expect high-risk actions to be constrained and continuously verified, which is where ownership must be enforced.
👉 Read our full editorial: Stryker shows identity compromise now beats malware in destructive attacks