A cyberattack against medical technology firm Stryker Corporation on March 11, 2026 has prompted urgent security warnings from US authorities. What makes this incident particularly instructive is not the breach itself, but the mechanism of destruction: attackers used the built-in wipe command in Microsoft's Intune cloud-based endpoint management tool to wipe nearly 80,000 devices.
Endpoint management systems like Intune represent particularly attractive targets for sophisticated attackers because these platforms typically maintain extensive administrative privileges across entire device fleets and manage security configurations. A single compromised Intune administrator account can provide attackers with near-complete control over thousands of endpoints. The Stryker case illustrates this vulnerability with precision. Attackers carried out the attack using a new Global Administrator account created after compromising an administrator account, giving them the keys to a kingdom they could then systematically destroy without deploying a single line of malware.
The institutional response has been swift. CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organisations based on the March 11, 2026 cyberattack against Stryker, which affected their Microsoft environment. On 18 March, the federal agency issued formal guidance to prevent similar incidents. The recommendations rest on a handful of core principles.
First, the principle of least privilege. CISA recommends using least privilege when designing administrative roles and limiting access through role-based controls. In practical terms, this means administrators should receive only the minimum permissions required for their daily tasks; not blanket access to every system. Second, CISA urges enforcement of phishing-resistant MFA across all administrative accounts. Third, and perhaps most critically, CISA recommends setting up policies that require a second administrative account's approval to allow changes to sensitive or high-impact actions such as device wiping. This multi-admin approval requirement creates a built-in check on unilateral action; no single compromised account can trigger a mass device wipe without a second authorisation.
The broader security community has flagged a troubling shift in attacker behaviour. Rather than developing novel exploits or deploying bespoke malware, threat actors are increasingly exploiting the very legitimate tools that organisations have willingly installed to manage their infrastructure. This represents a shift toward 'living-off-the-land' techniques, where attackers leverage built-in enterprise tools to execute malicious actions and reduce reliance on custom payloads. This approach is not only effective; it is also forensically harder to detect and attribute.
Notwithstanding the clarity of CISA's guidance, implementation poses genuine practical challenges. Organisations across sectors are now reassessing Intune security postures while balancing implementation challenges with critical risk reduction needs. Applying multi-admin approval to all sensitive actions, for instance, creates operational friction; time-sensitive changes require coordination across teams. Enforcing phishing-resistant MFA demands investment in hardware tokens or compatible authentication infrastructure that not all organisations currently possess. Yet these costs pale against the alternative: Stryker said the March 11 disruption affected order processing, manufacturing, shipping and other internal systems. If an attacker gains leverage over endpoint management, the effect can move quickly from identity and device control into production and logistics.
The institutional calculus here is straightforward, if politically unpalatable. Microsoft, which bears some responsibility for the security posture of its own products, acted. Microsoft's March 2026 Intune guidance directs tenants to enforce least-privilege administration through Intune RBAC, use phishing-resistant MFA and Conditional Access for administrative access, apply Multi Admin Approval for sensitive actions, and use scope tags and scoped roles. The federal government has amplified this message through CISA. Yet the burden of implementation falls on organisations themselves, many of which lack the security maturity to execute these measures in a timely fashion.
What is at stake, and this point bears emphasis, is not merely cyber hygiene in the abstract but the continuity of critical supply chains. Stryker's critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide. When such an organisation loses the ability to process orders and ship products because attackers have compromised its internal management systems, patients downstream feel the effects.
The Stryker incident reveals a sobering truth: the same centralised control that makes modern device management platforms attractive to legitimate administrators makes them attractive targets for malicious actors. Organisations cannot simply disable these tools; they are integral to contemporary IT operations. What they can do, and what CISA now insists they must do, is treat the administrative access to these tools with the rigour traditionally reserved for nuclear launch codes. Least privilege, multi-factor authentication, and multi-admin approval are not novel security concepts. Their application to endpoint management systems, however, remains incomplete in too many corners of corporate America.