Intune control-plane abuse: what IAM teams need to change

TL;DR: Attackers used stolen sessions and privileged access to turn Stryker’s Microsoft Intune device-management plane into a non-encrypting wiper, factory-resetting about 200,000 endpoints across 79 offices without custom malware, according to SlashID. The breach shows that device-management platforms need stronger identity controls, because a compromised control plane can become the attack surface.

NHIMG editorial — based on content published by SlashID: Analysis of the 2026 Stryker Breach: Weaponizing Cloud Endpoint Management

Questions worth separating out

Q: What breaks when attackers get privileged access to endpoint management consoles?

A: When attackers reach a device-management console with privileged authority, they can change or destroy endpoints without deploying malware.

Q: Why do session theft and AiTM attacks matter so much for privileged admins?

A: Session theft matters because a live authenticated session can preserve trust even after the password is useless.

Q: How should security teams govern just-in-time access for endpoint administration?

A: Security teams should scope JIT access to a specific task, a specific asset set, and a short-lived approval window.

Practitioner guidance

• Tighten control-plane authentication Require phishing-resistant authentication for all Intune and endpoint-management administrators, and re-evaluate whether existing MFA can survive AiTM replay.
• Reduce standing privileged access Move endpoint-management roles to just-in-time assignment with approval, explicit expiration, and separate logging for reset or wipe permissions.
• Separate destructive actions from routine admin Create a distinct approval path for factory reset, wipe, and policy-enforcement commands, with additional monitoring for bulk execution.

What's in the full article

SlashID's full analysis covers the operational detail this post intentionally leaves for the source:

• A reconstructed attack timeline from infostealer logs through AiTM session theft and privilege escalation.
• The Microsoft Intune control-plane pivot that enabled mass endpoint resets without custom malware.
• Detection ideas for MITM and AiTM activity, including behavioral signals around privileged session reuse.
• Operational discussion of just-in-time privileged access and where it reduces, but does not eliminate, blast radius.

👉 Read SlashID's analysis of the 2026 Stryker breach and Intune abuse →

Intune control-plane abuse: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →