TL;DR: Attackers used stolen sessions and privileged access to turn Stryker’s Microsoft Intune device-management plane into a non-encrypting wiper, factory-resetting about 200,000 endpoints across 79 offices without custom malware, according to SlashID. The breach shows that device-management platforms need stronger identity controls, because a compromised control plane can become the attack surface.
NHIMG editorial — based on content published by SlashID: Analysis of the 2026 Stryker Breach: Weaponizing Cloud Endpoint Management
Questions worth separating out
Q: What breaks when attackers get privileged access to endpoint management consoles?
A: When attackers reach a device-management console with privileged authority, they can change or destroy endpoints without deploying malware.
Q: Why do session theft and AiTM attacks matter so much for privileged admins?
A: Session theft matters because a live authenticated session can preserve trust even after the password is useless.
Q: How should security teams govern just-in-time access for endpoint administration?
A: Security teams should scope JIT access to a specific task, a specific asset set, and a short-lived approval window.
Practitioner guidance
- Tighten control-plane authentication Require phishing-resistant authentication for all Intune and endpoint-management administrators, and re-evaluate whether existing MFA can survive AiTM replay.
- Reduce standing privileged access Move endpoint-management roles to just-in-time assignment with approval, explicit expiration, and separate logging for reset or wipe permissions.
- Separate destructive actions from routine admin Create a distinct approval path for factory reset, wipe, and policy-enforcement commands, with additional monitoring for bulk execution.
What's in the full article
SlashID's full analysis covers the operational detail this post intentionally leaves for the source:
- A reconstructed attack timeline from infostealer logs through AiTM session theft and privilege escalation.
- The Microsoft Intune control-plane pivot that enabled mass endpoint resets without custom malware.
- Detection ideas for MITM and AiTM activity, including behavioral signals around privileged session reuse.
- Operational discussion of just-in-time privileged access and where it reduces, but does not eliminate, blast radius.
👉 Read SlashID's analysis of the 2026 Stryker breach and Intune abuse →
Intune control-plane abuse: what IAM teams need to change?
Explore further
Standing control-plane privilege is the assumption this breach exposed. Intune and similar device-management systems are often treated as if admin access is benign until used, but the Stryker case shows that assumption breaks once attackers inherit live session authority. The issue was not only compromised identity, but the fact that privileged control remained usable long enough to issue destructive fleet-wide actions. Practitioners should treat endpoint-management permissions as high-impact operational authority, not routine admin convenience.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who is accountable when a management plane is used to wipe endpoints at scale?
A: Accountability should be shared across IAM, PAM, endpoint operations, and incident response because the damage comes from identity-backed operational authority. Frameworks such as NIST CSF and zero trust place governance on the access path, not only on the endpoint. That is where ownership and containment need to be defined.
👉 Read our full editorial: Stryker breach shows Intune can become a wiper control plane
Standing control-plane privilege is the assumption this breach exposed. Intune and similar device-management systems are often treated as if admin access is benign until used, but the Stryker case shows that assumption breaks once attackers inherit live session authority. The issue was not only compromised identity, but the fact that privileged control remained usable long enough to issue destructive fleet-wide actions. Practitioners should treat endpoint-management permissions as high-impact operational authority, not routine admin convenience.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who is accountable when a management plane is used to wipe endpoints at scale?
A: Accountability should be shared across IAM, PAM, endpoint operations, and incident response because the damage comes from identity-backed operational authority. Frameworks such as NIST CSF and zero trust place governance on the access path, not only on the endpoint. That is where ownership and containment need to be defined.
👉 Read our full editorial: Stryker breach shows Intune can become a wiper control plane