Intune as a wiper channel: what IAM teams missed in Stryker

TL;DR: Stryker’s March 2026 attack showed how valid Microsoft identity access can be turned into a non-encrypting wiper, with public reporting citing nearly 80,000 devices wiped through Intune and at least 50 terabytes of corporate data deleted. The incident demonstrates that perimeter controls and MFA alone do not stop privileged cloud administration abuse, according to SlashID.

NHIMG editorial — based on content published by SlashID covering the Stryker breach: the March 2026 Intune-driven wiper attack and its identity governance implications

By the numbers:

• At least 50 terabytes of corporate data were deleted from internal storage.

Questions worth separating out

Q: What breaks when a compromised Microsoft admin account can trigger Intune wipes?

A: A single identity can become a fleet-wide destruction tool when remote wipe and factory reset remain available to one session.

Q: Why do Microsoft 365 and Intune attacks bypass many endpoint controls?

A: They use the management plane itself rather than malware on the endpoint.

Q: What do security teams get wrong about Intune and cloud administration risk?

A: They often treat remote management as an operational convenience instead of a privileged control surface.

Practitioner guidance

• Restrict destructive Intune commands to tightly governed admin paths Separate remote wipe, retire, and factory reset privileges from routine device administration, and require second-person approval before bulk actions can run across large device groups.
• Review Microsoft Graph scopes as privileged access Inventory every app registration, service principal, and admin role that can write to device management, directory roles, or policy settings, then remove anything that does not need cloud-control-plane authority.
• Harden session handling for Microsoft identity Assume post-MFA session tokens can be stolen and reused, and add conditional access checks, token revocation workflows, and admin session monitoring for unusual login paths.

What's in the full analysis

SlashID's full breach analysis covers the operational detail this post intentionally leaves for the source:

• Walkthrough of the suspected initial access paths, including AiTM phishing and VPN compromise, with Microsoft identity implications.
• Detailed detection matrix for Intune, Entra, and Graph actions, including the control signals that would surface suspicious admin activity.
• Step-by-step explanation of how legitimate management commands become a living-off-the-land wiper at scale.
• SlashID's response mapping for destructive admin actions, token abuse, and fleet-wide wipe containment.

👉 Read SlashID's full analysis of the Stryker Intune wiper attack →

Intune as a wiper channel: what IAM teams missed in Stryker?

Explore further

View Full Forum →  |  NHI Foundation Course →