shocked woman on computer

There’s a moment after every high-profile cyber incident where leaders quietly ask themselves the same question: “Could this happen to us?”

The recent disruption involving Stryker should make that question feel uncomfortably real. Not because it exposed a flaw in Microsoft Intune (it didn’t) but because it showed how quickly a trusted platform can be turned into a weapon when identity controls fail.

And that’s exactly why incidents like this shouldn’t be downplayed or buried. They should be shared, dissected, and learned from, because they will happen again. We are a learning species and this is certainly a learning moment for anyone who relies on Microsoft 365.

The Incident Everyone Is Talking About (and Misunderstanding)

Reports indicate that attackers gained access to Stryker’s Microsoft cloud environment and then moved laterally into administrative control of Microsoft Intune.

While full forensic details haven’t been publicly confirmed, the pattern aligns with what we’re consistently seeing in similar attacks:

How they likely got in

Attackers didn’t need to “hack” Intune. They compromised identity first. That typically means one of the following:

  • Phishing or credential theft targeting a privileged user e.g. an IT System Administrator

  • Token theft (session hijacking) that bypasses traditional MFA

  • Exploitation of overprivileged accounts without strong conditional access controls

Once inside, the hacker didn’t need to do much, because the access they gained landed already had the keys to the castle.

What they did next

With that level of access, the attackers used Intune exactly as it was designed to be used:

  • Issued remote wipe (factory reset) commands across thousands of devices

  • Targeted Windows endpoints, mobile devices, and user-enrolled devices

  • Executed actions globally, almost instantly

No malware needed. No persistence required. The platform did the work for them.

What they exposed’

This wasn’t about data exfiltration in the traditional sense. This was about disrupting a businessthrough:

  • Administrative access to device management at scale

  • Visibility into enrolled corporate and BYOD endpoints

  • The ability to wipe devices across the entire fleet

In other words, they didn’t steal the data,, they deleted it all.

The impact

  • Devices were rendered unusable overnight

  • Employees lost access to both corporate and personal data

  • IT teams were locked out of their own management tools in some cases

  • Business operations slowed or stopped entirely, with some teams reverting to manual processes

This is what makes the incident so important to understand. Nothing was “broken.” Nothing “failed” in the traditional sense. The attackers simply logged in and used trusted tools at scale.

And that’s exactly why calling this an Intune breach misses the point.

Why This Changes the Conversation

Most security strategies are still anchored to protecting endpoints. But this wasn’t an endpoint attack. It was a control plane attack.

Once an attacker is operating inside your management layer:

  • Security tools don’t block “legitimate” admin actions

  • Destructive commands execute exactly as designed

  • The blast radius can be global

  • Recovery becomes operational, not just technical

This is why guidance from both CISA (Cybersecurity and Infrastructure Security Agency) and Microsoft has increasingly emphasized hardening identity, privilege, and management planes, not just endpoints.

Because the real perimeter isn’t the device anymore. It’s identity.

The Real Failure Point: Identity and Privilege

If you work backwards from this kind of incident, the questions practically answer themselves:

  • Who had access to do this?

  • How easy was it to elevate privileges?

  • What controls were in place to prevent misuse?

In most environments, the gaps are predictable:

  • Standing administrative privileges that are rarely justified

  • Limited separation between everyday admin tasks and destructive actions

  • Overreliance on MFA that can still be phished or bypassed

  • Lack of visibility into high-risk administrative behavior

How to Make This Attack Much Harder (and Far Less Damaging)

No environment is immune. But you can dramatically reduce both the likelihood and the impact.

Here’s what actually moves the needle:

Tighten privilege where it matters most

Very few people should have the ability to wipe or retire a large volume of devices with a single action. Treat these permissions like production-breaking access, because that’s exactly what they are.

Shift to just-in-time access

Privileged Identity Management should be standard, not optional. Short-lived access, approvals, and strong authentication reduce the value of stolen credentials.

Lock administration to trusted environments

Administrative actions should only occur from compliant, corporate-controlled devices.

Adopt phishing-resistant authentication

Passkeys and FIDO2 keys materially reduce the risk of credential theft. For high-privilege roles, this is a must, not “nice to have.”

Separate duties intentionally

The person who manages policy shouldn’t automatically be able to execute destructive actions. Segregate duties.

Increase visibility where it counts

Forward audit logs to a SIEM. Monitor for unusual patterns (especially bulk or rapid administrative actions.)

These practices are directly aligned with the kind of hardening guidance coming from both Microsoft and CISA following incidents like this.

The Leadership Opportunity Most Businesses Miss

There’s a natural instinct to stay quiet when incidents like this happen, especially when the narrative gets messy.

But silence creates two problems:

  1. Attackers keep refining the same playbook
  2. Other businesses miss the chance to close the same gaps

This is where strong security leadership stands out. By leaning into the conversation. Sharing lessons learned doesn’t weaken your position. It strengthens the entire ecosystem.

What CISOs and IT Leaders Should Be Asking Right Now

If this incident hit close to home, that’s not a bad thing. It’s a signal.

The right questions aren’t complicated:

  • Do we know exactly who can perform destructive actions in our environment?

  • How quickly could an attacker gain that level of access?

  • Would we detect abnormal administrative behavior in real time?

  • Lack of visibility into high-risk administrative behavior

  • Are we confident in our ability to limit the blast radius?

And just as importantly:

  • Do we have the right skills internally to answer those questions with confidence?

Because many teams don’t. And that’s okay, as long as it’s acknowledged early.

Conclusion

Modern attacks don’t always break in. Sometimes, they log in with admin credentials.

Platforms like Microsoft Intune are incredibly powerful and that power cuts both ways. When identity and privilege controls are tight, they enable scale, efficiency, and security.

When they’re not, they enable impact. Fast.

If this scenario feels a little too plausible, that’s the point. The goal isn’t to create fear, it’s to create clarity on where to act next.

Because the businesses that learn fastest from incidents like this are the ones that don’t become the next headline.

Get the Guide to Modern Digital Identity

Key Topics include:

  • How to find and adopt a Modern Idp

  • Identity Governance

  • The benefits of going modern

  • Modern Authentication and Authorization Practices

Andrew Reade

Andrew Reade

Andrew is our Digital Marketing Manager and oversees web-based marketing strategies and content creation for the organization. As a marketing veteran, Andrew has worked with organizations of all sizes in a diverse group of industries, from Risk Management to Transportation. Joining the organization in 2021, Andrew is based in Mobile Mentor’s Nashville, TN office.