TL;DR: Stryker’s March 2026 breach shows how attackers can turn stolen sessions, elevated privileges, and Microsoft Intune into a large-scale wiper path without custom malware, affecting about 200,000 endpoints across 79 offices, according to SlashID. The lesson is that endpoint management planes are now identity-critical attack surfaces, and standing admin paths are the weak link.
NHIMG editorial — based on content published by SlashID covering the 2026 Stryker breach: Analysis of the 2026 Stryker Breach: Weaponizing Cloud Endpoint Management
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: What fails when a cloud endpoint management console is compromised?
A: When a cloud endpoint management console is compromised, the failure is not just device administration, it is privileged execution at fleet scale.
Q: Why do privileged sessions in endpoint management create such a large blast radius?
A: Privileged sessions in endpoint management create a large blast radius because the console is authoritative across many devices at once.
Q: How do security teams know whether management-plane access is too broad?
A: Security teams know management-plane access is too broad when a single role can perform support, remediation, and destructive actions without separate approval paths.
Practitioner guidance
- Treat endpoint management consoles as privileged identity systems Require the same governance for Intune and similar platforms that you apply to PAM-controlled admin paths.
- Enforce phishing-resistant admin authentication Use hardware-backed or passkey-based authentication for management-plane administrators, then bind sessions to device and context signals so token theft is harder to reuse.
- Put just-in-time controls on destructive actions Move wipe, reset, and bulk remediation permissions into short-lived elevation with approval and explicit logging.
What's in the full article
SlashID's full analysis covers the operational detail this post intentionally leaves for the source:
- A step-by-step reconstruction of the Infostealer, AiTM, and privilege escalation chain behind the Intune pivot.
- Specific MITM and session-theft detection patterns that help distinguish normal admin work from control-plane abuse.
- Practical examples of just-in-time privileged access for endpoint administrators and how to scope wipe-capable roles.
- The control and telemetry logic needed to spot bulk device actions before they fan out across an estate.
👉 Read SlashID's analysis of the Stryker breach and Intune control-plane attack →
Microsoft Intune pivot attacks: what IAM teams need to change?
Explore further
Intune abuse is a privileged identity problem disguised as endpoint management. The breach worked because the management plane was trusted to execute destructive actions once an authenticated admin session existed. That makes the console itself part of the identity perimeter, not a separate IT domain. Practitioners should treat endpoint administration as privileged access to a fleet, not as ordinary device support.
A few things that frame the scale:
- The attack factory-resetting roughly 200,000 endpoints across 79 offices worldwide without dropping a single piece of custom malware, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious.
A question worth separating out:
Q: Who is accountable when a device-management platform is used to wipe endpoints?
A: Accountability sits with the organisation that defined the privilege model, the access approvals, and the monitoring around the management plane. The relevant governance question is whether destructive commands were constrained, reviewed, and attributable before execution. NIST CSF and OWASP NHI both support that accountability model.
👉 Read our full editorial: Stryker breach shows how cloud endpoint management can become wiper control
Intune abuse is a privileged identity problem disguised as endpoint management. The breach worked because the management plane was trusted to execute destructive actions once an authenticated admin session existed. That makes the console itself part of the identity perimeter, not a separate IT domain. Practitioners should treat endpoint administration as privileged access to a fleet, not as ordinary device support.
A few things that frame the scale:
- The attack factory-resetting roughly 200,000 endpoints across 79 offices worldwide without dropping a single piece of custom malware, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious.
A question worth separating out:
Q: Who is accountable when a device-management platform is used to wipe endpoints?
A: Accountability sits with the organisation that defined the privilege model, the access approvals, and the monitoring around the management plane. The relevant governance question is whether destructive commands were constrained, reviewed, and attributable before execution. NIST CSF and OWASP NHI both support that accountability model.
👉 Read our full editorial: Stryker breach shows how cloud endpoint management can become wiper control