TL;DR: A March 2026 attack turned Stryker’s Microsoft Intune device-management plane into a non-encrypting wiper, resetting about 200,000 endpoints across 79 offices after infostealer logs and AiTM session theft enabled privilege escalation and control-plane abuse, according to SlashID. The breach shows why endpoint-management identities need stronger authentication, tighter privilege boundaries, and runtime anomaly detection before a stolen session becomes a fleet-wide outage.
NHIMG editorial — based on content published by SlashID covering the Stryker breach: Analysis of the 2026 Stryker Breach: Weaponizing Cloud Endpoint Management
By the numbers:
- Attackers can attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, making organisations 4.5x more likely to experience a security incident when AI access is not scoped properly.
Questions worth separating out
Q: What breaks when a cloud endpoint-management plane is compromised?
A: When a cloud endpoint-management plane is compromised, the attacker can turn legitimate administration into mass device disruption.
Q: Why do stolen admin sessions create such a large blast radius in Intune-like systems?
A: Stolen admin sessions create a large blast radius because they inherit the authority of a trusted operator inside the management plane.
Q: How do security teams reduce the risk of AiTM attacks against privileged identity flows?
A: Security teams should use phishing-resistant authentication, session binding, and conditional reauthentication for privileged paths.
Practitioner guidance
- Harden device-management admin sessions Require phishing-resistant authentication, session binding, and reauthentication before destructive endpoint actions such as wipe, retire, or bulk policy push.
- Separate control-plane privileges by action type Split read, policy change, device action, and tenant-wide administration into distinct roles.
- Monitor destructive admin actions as security events Alert on factory reset, mass retire, bulk compliance change, and large-scale re-enrollment workflows.
What's in the full article
SlashID's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step reconstruction of the Stryker attack chain from session theft to control-plane abuse.
- Specific mitigation mapping for MITM and AiTM detection across privileged identity flows.
- Implementation detail for just-in-time privileged access in endpoint-management environments.
- Behavioral anomaly patterns that help distinguish normal administration from destructive control-plane use.
👉 Read SlashID's analysis of the Stryker breach and Intune control-plane abuse →
Microsoft Intune as an attack surface: what IAM teams should notice?
Explore further
Cloud endpoint-management identities are now high-impact non-human identities. Intune and similar control planes do not just manage devices, they execute fleet-wide change. When those identities are compromised, the blast radius is operational, not merely administrative, and that moves endpoint management into the same governance class as other privileged NHIs. Practitioners should treat the management plane as a destructive capability surface, not a back-office console.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when a management-plane identity is used to wipe endpoints?
A: Accountability sits with the teams that own privileged identity governance, endpoint management, and incident response together. If a control-plane identity can trigger destructive action, then access review, approval design, and monitoring are shared responsibilities. Frameworks such as NIST CSF and OWASP NHI are relevant because the issue spans governance and execution.
👉 Read our full editorial: Stryker breach shows cloud endpoint control planes can be weaponized
Cloud endpoint-management identities are now high-impact non-human identities. Intune and similar control planes do not just manage devices, they execute fleet-wide change. When those identities are compromised, the blast radius is operational, not merely administrative, and that moves endpoint management into the same governance class as other privileged NHIs. Practitioners should treat the management plane as a destructive capability surface, not a back-office console.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when a management-plane identity is used to wipe endpoints?
A: Accountability sits with the teams that own privileged identity governance, endpoint management, and incident response together. If a control-plane identity can trigger destructive action, then access review, approval design, and monitoring are shared responsibilities. Frameworks such as NIST CSF and OWASP NHI are relevant because the issue spans governance and execution.
👉 Read our full editorial: Stryker breach shows cloud endpoint control planes can be weaponized