In This Article
On March 11, 2026, an Iranian-linked group called Handala used Stryker Corporation's own Microsoft Intune environment to factory-reset more than 200,000 devices across 79 countries. No malware. No zero-day exploit. No ransomware. The attackers gained admin credentials to Stryker's Microsoft 365 tenant and pressed the wipe button that Intune provides to every IT administrator.
The distinction matters for every mortgage company, credit union, and community bank running Microsoft 365. This wasn't a Microsoft platform breach. Intune performed exactly the way it was designed to perform. The failure was entirely in how Stryker managed privileged access to their own tenant. And the admin controls Stryker lacked are the same ones many financial institutions haven't configured yet.
Two specific Microsoft features would have prevented the entire attack. Both are available today, built into licensing most financial institutions already own. Here's what happened, why your organization is at risk, and what your IT team can configure before the week is out.
What Really Happened at Stryker
The Stryker attack followed a two-team playbook that Iran's Ministry of Intelligence runs repeatedly. First, a cyber espionage group called MuddyWater (also known as Seedworm) spent weeks quietly breaking into the network using backdoor tools called Dindoor and Fakeset. Their job was access, not destruction. Once they had a foothold, they handed the keys to a second group whose only job is to destroy. That destruction team operates publicly under the name Handala and is tracked by cybersecurity firm Check Point as Void Manticore.
The attackers compromised Global Administrator credentials in Stryker's Entra ID environment. With those credentials, they had full control over Intune device management. At approximately 3:30 AM EDT, they issued mass remote wipe commands across the entire managed device fleet.
Attack Timeline: March 11, 2026
At 3:30 AM EDT, attackers used legitimate Intune admin credentials to issue factory-reset commands to 200,000+ devices across 79 countries. Stryker's Cork, Ireland headquarters sent 5,000 employees home. Michigan headquarters declared a building emergency. Stock dropped 3-4.5% within hours. Handala claimed to have exfiltrated 50TB of data, though this claim has not been independently verified.
No encryption. No ransom demand. No malware to detect. The attackers used Intune's built-in remote wipe feature, which exists so IT administrators can securely retire lost or stolen devices. It's a legitimate tool, and Intune executed the commands exactly as designed.
Microsoft Intune worked exactly as designed. The failure was in how Stryker managed admin credentials, MFA, and privileged access.
How the attackers obtained those credentials hasn't been publicly confirmed. Iranian threat groups like MuddyWater routinely use adversary-in-the-middle (AiTM) phishing that intercepts authenticated sessions in real time, bypassing standard MFA entirely. Proofpoint documented active campaigns by TA450, MuddyWater's designation, targeting US organizations as recently as March 8. Whether that's how Stryker's credentials were compromised remains unconfirmed, but the lesson holds: standard MFA alone doesn't protect admin accounts from determined nation-state operators. Phishing-resistant MFA methods like FIDO2 security keys or Windows Hello for Business bind credentials to the legitimate domain so they can't be intercepted. And Privileged Identity Management (PIM) ensures that even if credentials are stolen, they don't carry standing admin privileges to exploit.
How Exposed Are Your Admin Accounts?
ABT evaluates Intune admin controls, PIM configuration, and Conditional Access policies for 750+ financial institutions.
Why Mortgage Companies, Banks, and Credit Unions Should Pay Attention
The Stryker attack targeted a medical device manufacturer, not a financial institution. But the attack method works against any organization running Microsoft 365 with Intune device management. And the threat actors behind it are actively targeting the financial sector.
Active Threat: Iranian Groups Targeting US Critical Infrastructure
A joint NSA, CISA, FBI, and DC3 cybersecurity advisory issued in June 2025 warns that Iranian state-sponsored cyber actors are actively targeting US critical infrastructure, including financial services. MuddyWater, the MOIS group that pre-positioned access for the Stryker attackers, was documented by Proofpoint (as TA450) targeting US organizations as recently as March 8, 2026.
Mortgage companies are particularly exposed. Most run Microsoft 365 Business Premium or E3 with Intune managing every loan officer's laptop. Their IT teams tend to be lean, sometimes just two or three people for a company processing hundreds of millions in monthly volume. The admin controls that would have stopped the Stryker attack often go unconfigured because they require deliberate setup beyond the defaults.
Credit unions face similar risks. Member data protection under NCUA oversight depends on securing the same Entra ID admin plane that Stryker left exposed. A compromised Global Admin at a credit union doesn't just wipe devices. It can access SharePoint document libraries with member records, modify Conditional Access policies to create persistent backdoors, and disable security alerts that would otherwise catch the intrusion.
Community banks operating under FFIEC examination requirements need to demonstrate that privileged access controls are active, documented, and monitored. An examiner asking "Who has the ability to remotely wipe every device in your environment?" expects a short list behind just-in-time access controls. Not four roles with standing permissions.
- Multi-Admin Approval (MAA)
- An Intune feature requiring a second administrator to approve before wipe, retire, or delete actions execute on managed devices.
- PIM (Privileged Identity Management)
- An Entra ID feature enforcing just-in-time admin access. No user holds standing Global Admin or Intune Admin privileges.
- AiTM (Adversary-in-the-Middle)
- A phishing technique that intercepts authentication sessions in real time, capturing tokens that bypass traditional MFA protections.
Two Controls That Would Have Stopped This Attack
The Stryker attack succeeded because a single compromised admin account could issue wipe commands to every managed device without any secondary approval or detection. Two built-in Microsoft features close that gap.
Control 1: Multi-Admin Approval for Intune Wipe Actions
Multi-Admin Approval (MAA) is a built-in Intune capability, generally available since service release 2508. When configured, MAA requires a second administrator to approve before wipe, retire, or delete actions execute. A compromised admin account can request a mass wipe, but nothing happens until a second person from a designated approver group confirms the action.
Configuration is straightforward. In the Intune admin center, navigate to Tenant administration, then Multi Admin Approval, then Access policies. Create a policy that protects wipe, retire, and delete operations. Assign an approver group with at least two people. From that point forward, every destructive device action waits for approval.
If MAA had been active on Stryker's tenant, the attack would have stalled at the approval step. The attackers could have requested 200,000 wipes, but every single one would have sat in a pending queue until a second admin approved it.
Control 2: Microsoft Sentinel Detection Rules
MAA blocks the destructive action. Sentinel detects the attempt. Together, they form a two-layer defense: the wipe command fails, and your security team gets alerted that someone tried.
Four KQL detection rules cover the Stryker attack pattern. The first monitors for mass remote wipe events, alerting when more than five devices are targeted within 15 minutes. The second watches audit logs for bulk wipe commands from a single operator. The third flags first-time wipe operators by comparing current activity against a 14-day baseline. The fourth correlates UEBA suspicious admin activity with wipe commands.
Financial institutions already running Microsoft 365 compliance configurations with Sentinel can deploy these rules within a few hours. For organizations without Sentinel, the investment is small relative to the cost of a Stryker-scale device wipe.
Four Entra ID Roles with Device Wipe Permissions
Only four built-in roles can remotely wipe devices through Intune. All four must be protected with Privileged Identity Management so nobody holds them as permanent assignments.
- Global Administrator: Full tenant control including all Intune device actions
- Intune Administrator: Full Intune management including wipe, retire, and delete
- Help Desk Operator: Has wipe permission by default, often overlooked in privilege reviews
- School Administrator: Has wipe and retire permissions, relevant for institutions running education-adjacent programs
What Your IT Team Should Do This Week
The Stryker attack exposed a governance gap, not a software vulnerability. Closing that gap requires configuration changes, not new products. Here are four actions your IT team can complete this week, ranked by impact.
- Enable Multi-Admin Approval for Intune wipe actions. Configure in Tenant administration, then Multi Admin Approval, then Access policies. Require approval for wipe, retire, and delete actions. Assign at least two people to the approver group.
- Audit PIM status on all four roles with wipe permissions. Verify that Global Admin, Intune Admin, Help Desk Operator, and School Administrator roles require just-in-time activation with time-limited sessions. No account should hold any of these roles as a permanent assignment.
- Deploy Sentinel detection rules for mass wipe attempts. Create KQL rules that alert on five or more device wipes within 15 minutes, first-time wipe operators, and UEBA anomaly correlation with destructive actions.
- Upgrade admin accounts to phishing-resistant MFA. Replace token-based MFA with FIDO2 security keys or Windows Hello for Business on every account that can activate an admin role. Both methods bind credentials to the legitimate domain, so AiTM phishing proxies can't intercept them. This is a strong additional layer on top of PIM, not a replacement for it.
If your organization manages Microsoft 365 through an external IT partner, ask them directly: "Have you enabled Multi-Admin Approval on our tenant? Which of our admin accounts have standing wipe permissions?" A partner that can't answer those questions immediately is a partner carrying unnecessary risk in your environment.
ABT already monitors standing admin accounts across all managed tenants through Guardian Security Insights, surfacing active privileged roles that customers may not realize are exposed. In response to the Stryker attack, we're offering MAA configuration and Sentinel detection rules to every managed customer. No financial institution should depend on the assumption that their admin credentials won't be compromised. The Stryker attack proved that assumption wrong.
Key Takeaway
The Stryker attack didn't exploit a software vulnerability. It exploited a governance gap. The attackers used legitimate admin tools because legitimate admins had too much standing access. Two controls would have stopped it: Multi-Admin Approval to block the wipe command, and Sentinel rules to detect the attempt.
Could Your Tenant Survive a Stryker-Style Attack?
ABT's security assessment evaluates your Intune admin controls, PIM configuration, and Conditional Access policies against the exact attack patterns used in the Stryker breach. Takes 48 hours. Covers every managed device.
Frequently Asked Questions
No. Microsoft's cloud platform was not compromised. Attackers gained access to Stryker's tenant-level administrator credentials and used legitimate Intune remote wipe capabilities to factory-reset devices. The failure was in Stryker's credential management and privileged access controls, not in the Microsoft platform itself.
Multi-Admin Approval is a built-in Intune feature, generally available since service release 2508, that requires a second administrator to approve before wipe, retire, or delete actions execute on managed devices. It adds a human verification step that prevents a single compromised account from issuing destructive commands at scale.
Four built-in roles can remotely wipe devices through Intune: Global Administrator and Intune Administrator have full control that includes wipe, while Help Desk Operator and School Administrator have explicit wipe permissions in their built-in role definitions. All four should be protected with Privileged Identity Management so no user holds these roles as permanent assignments.
A joint NSA, CISA, FBI, and DC3 advisory warns that Iranian state-sponsored cyber actors are actively targeting US critical infrastructure, including financial services. MuddyWater, the group that pre-positioned access for the Stryker attackers, has been documented targeting US organizations. Financial institutions running Microsoft 365 face the same tenant-level admin risks that Stryker failed to address before the attack.
Enable Privileged Identity Management on every admin role that carries wipe permissions, and enable Multi-Admin Approval for Intune wipe, retire, and delete actions. PIM ensures no account has standing admin access, so stolen credentials can't be used immediately. MAA adds a second approval gate so even an activated admin can't wipe devices alone. Together, these two controls would have stopped the Stryker attack entirely.
