Microsoft Intune as a wiper surface: what IAM teams missed

TL;DR: The 2026 Stryker breach shows how stolen sessions, privileged access, and Microsoft Intune control-plane abuse can let attackers factory-reset roughly 200,000 endpoints across 79 offices without custom malware, according to SlashID. Identity controls that assume admin actions will be rare and observable are not sufficient when the management plane itself becomes the attack surface.

NHIMG editorial — based on content published by SlashID: Analysis of the 2026 Stryker Breach: Weaponizing Cloud Endpoint Management

Questions worth separating out

Q: What failed when attackers used Intune to wipe enterprise endpoints?

A: The failure was not just endpoint control, but trust in a privileged management session that could execute destructive actions at scale.

Q: Why do device-management platforms create such large blast radius risk?

A: Device-management platforms can push actions to thousands of endpoints from a single trusted control plane, so one compromised identity can produce enterprise-wide impact.

Q: How do security teams know whether privileged session controls are actually working?

A: They should test whether high-risk admin sessions are phishing-resistant, bound to known devices, and short-lived enough to prevent reuse after compromise.

Practitioner guidance

• Harden privileged administrative sessions Require phishing-resistant authentication, device binding, and AiTM detection for all accounts that can reach endpoint management consoles or remote-action APIs.
• Reduce Intune blast radius with just-in-time access Move device-management privileges out of standing roles and into time-bound approvals with explicit task scope.
• Monitor control-plane actions as security events Alert on bulk device resets, policy pushes, and unusual administrative sequencing in Microsoft Intune.

What's in the full article

SlashID's full blog post covers the operational detail this analysis intentionally leaves for the source:

• The reconstructed attack timeline across infostealer logs, AiTM theft, privilege escalation, and Intune pivot points.
• Specific MITM and AiTM detection signals that help identify compromised administrative sessions before destructive actions begin.
• Just-in-time privileged access patterns for reducing the impact of device-management accounts that can issue fleet-wide commands.
• Behavioral anomaly examples tied to Microsoft Intune administrative activity and large-scale reset operations.

👉 Read SlashID's analysis of the 2026 Stryker breach and Intune abuse →

Microsoft Intune as a wiper surface: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →