The Stryker Microsoft Intune Attack: What You Need to Know Now

One of the most destructive cyberattacks in recent years was launched against Stryker Corporation, a Fortune 500 medical technology company operating in more than 60 countries. This article details what happened and why it matters.

SOTI MobiControl

One of the most destructive cyberattacks in recent years was launched against Stryker Corporation, a Fortune 500 medical technology company operating in more than 60 countries. The Iran-linked group Handala, reset more than 200,000 devices across 79 countries by abusing Microsoft Intune’s legitimate remote wipe functionality.

The attack exposes weaknesses in how some enterprises configure mobile device management (MDM) systems and administrative accounts.

Here’s why it matters, and what you can do now to protect your company.

What happened?

Early on March 11, 2026, Stryker employees across the US, Europe, and Asia found themselves unable to access their devices. Laptops and even employees’ personal phones displayed the Handala logo instead of Windows login prompts.

Investigators believe attackers:

• Stole Microsoft Intune administrator credentials
• Used Microsoft Intune’s built-in remote wipe function to issue tenant-wide factory resets
• Exfiltrated up to 50 terabytes of data before executing the destructive phase

Stryker’s investigation is ongoing.  However, the exfiltration of so much data implies that the attackers had long-term access.

Operational and Business Impact

The wipe effectively crippled Stryker’s global operations:

• 56,000 employees were impacted across 79+ countries
• Recovery timelines remain uncertain, as devices were factory reset
• Multiple class action lawsuits were filed within days of the attack

How This Attack Was Executed

The most critical insight: the attackers didn’t break in, they logged in. Microsoft Intune worked as it was designed.

This is why access control around MDM systems must be treated as mission-critical infrastructure.

What can you do to prevent this from happening to you?

Passkey Authentication

The attack hinged on compromised Microsoft Intune administrator credentials likely obtained through phishing or credential theft.

Passkeys, built on FIDO2 cryptographic authentication, are phishing-resistant and make it much more difficult for an attacker to succeed.

Why Passkeys Are Essential for Privileged Access

• They are phishing-resistant
• They cannot be replayed or stolen through MFA fatigue or token theft
• They bind authentication to a specific secure device
• They eliminate passwords entirely

Why This Matters for MDM/Administrator Roles

Threat actors specialize in phishing and MFA bypass techniques. Passkeys greatly reduce the likelihood of a successful account takeover.

Best Practice: Implement Passkeys

Don’t have passkeys?

For our customers with Premium or Enterprise support plans, SOTI Identity supports passkey authentication, enabling secure password-less login using device-based verification methods such as face, fingerprint, PIN, or hardware security key. Using passkey authentication means there is no password for attackers to compromise, and no MFA token for them to intercept, which helps prevent this type of attack.

How a “Bulk Action Limit” Prevents Accidents

This incident reveals how critical it is to establish guardrails to prevent a user from wiping your entire global device fleet.

With SOTI MobiControl, you can configure Bulk Action Limits to control the number of devices affected by a single bulk operation. These limits can be set at the role, group, or user level, ensuring that users inherit restrictions based on their assigned roles or groups.

This enhances security, as limits can be set to ensure that only authorized users can perform bulk actions on a large number of devices, reducing the risk of accidental or malicious damage.

What You Should Do Now

• Review all users and permissions in your solution. Delete or make inactive accounts you don’t recognize or that are dormant.
• Limit global administrator permissions and follow the principle of least privilege
• Require phishing-resistant MFA (preferably passkeys)
• Enable bulk action limits that make sense for your business
• Keep your software up to date
• Establish out-of-band emergency communications methods

Final Thoughts

The Stryker attack marks a turning point in destructive nation state cyber operations. It demonstrates how modern enterprise tools can be weaponized at an extraordinary scale using nothing more than stolen admin credentials.

By adopting passkey authentication, bulk action limits, and regular account reviews, organizations can significantly reduce the likelihood and impact of a similar event.