Rethinking the Admin Layer: What the Stryker Attack Reveals About Endpoint Trust

On March 11, 2026, U.S. medical technology giant Stryker experienced a major cyberattack that disrupted internal systems and reportedly wiped data from thousands of employee devices. The incident claimed by a pro-Iranian hacker group has quickly become one of the most notable cyber incidents targeting the healthcare technology sector this year.

Beyond the geopolitical implications, the attack highlights a critical issue for enterprises worldwide: how corporate device management systems can become a powerful attack surface when compromised.

For organizations relying on mobile device management (MDM) or unified endpoint management (UEM) platforms, the Stryker incident offers several important lessons.

What Happened in the Stryker Cyberattack

On March 11, 2026, Stryker reported a cybersecurity incident affecting its internal Microsoft-based systems. The disruption impacted thousands of employees globally and caused widespread outages across company devices.

Reports indicate that:

• Employees found company laptops and phones disabled or wiped.
• Internal systems connected to Microsoft infrastructure were disrupted.
• Employees were unable to access key applications or corporate networks.

The Iran-linked hacker group Handala claimed responsibility for the attack and said it had wiped more than 200,000 devices and extracted roughly 50 TB of data, although those claims remain unverified.

Stryker stated that the attack did not appear to involve ransomware or malware, and the full scope of the incident is still under investigation.

The Anatomy of the Attack

Here is how the attack chain unfolded against Stryker:

1. Credential Compromise

Attackers obtained high-privilege administrative credentials for Stryker’s Microsoft 365 and Entra ID environment. While the exact initial access vector has not been officially confirmed, Handala’s documented techniques include credential phishing, credential stuffing, and brute-force attacks against legacy authentication protocols.

2. Full Tenant Takeover via Entra ID

With Global Administrator credentials in hand, the attackers had effective control over Stryker’s entire Microsoft 365 tenant. They defaced the Entra login page with the Handala logo and sent emails to company executives claiming ownership of the operation a signature tactic designed to escalate psychological pressure alongside the technical attack.

3. Weaponizing the MDM Console

Through their control of the tenant, attackers accessed the Microsoft Intune management console. Intune’s Remote Wipe feature a standard capability built for lost or stolen device scenarios was used to issue factory reset commands against all enrolled devices simultaneously. No malware was deployed; the attack surface was the administrative console itself.

4. BYOD Included in the Blast Radius

Employees who had enrolled personal devices via the Intune Company Portal were affected equally alongside corporate-owned hardware. Personal data photos, personal app data, banking 2FA, eSIMs was erased along with corporate data. The wipe command executed by the attackers did not distinguish between device ownership types.

5. Parallel Data Exfiltration

Prior to executing the wipe, Handala claimed to have exfiltrated 50 terabytes of data. The destruction appears to have been the final act of an operation that prioritized theft first the wipe functioning as both a cover operation and a message.

Technical Analysis: Understanding the Entra ID and Intune Compromise

To understand how attackers could potentially disrupt thousands of devices in a short period of time, it is important to examine several techniques commonly used in modern identity-focused attacks.

1. The Limitations of Traditional MFA: AiTM and Session Token Theft

Multi-Factor Authentication (MFA) has long been considered one of the most effective defenses against credential theft. However, recent attack techniques have demonstrated that certain MFA implementations, particularly push notifications or SMS-based verification can still be bypassed under specific conditions.

One increasingly common technique is Adversary-in-the-Middle (AiTM) phishing.

Unlike traditional phishing pages that simply collect usernames and passwords, AiTM frameworks operate as a transparent proxy between the victim and the legitimate authentication service. When a user attempts to sign in to a service such as Microsoft 365, the attacker’s infrastructure forwards the login request to the real authentication endpoint while capturing authentication data in real time.

After the user successfully completes the MFA challenge, the identity provider issues a session token that confirms the user’s authenticated state. In AiTM scenarios, this token can be intercepted by the attacker and reused to establish a valid session.

Because the token represents an already authenticated session, attackers can use it to access administrative portals without needing the password or the second authentication factor again. To the identity platform, the attacker appears to be the legitimate authenticated administrator.

2. MFA Fatigue Attacks

Another tactic observed in identity-focused attacks is MFA fatigue, sometimes referred to as MFA push spamming.

In these attacks, once an attacker obtains valid credentials, they repeatedly attempt to log in to trigger a large number of MFA push notifications on the target’s device. The goal is to overwhelm or confuse the user into approving one of the requests.

If the user accidentally approves a login request especially outside normal working hours the attacker can gain access to the account with valid authentication.

While many organizations deploy MFA to protect administrative accounts, repeated push notifications can sometimes create opportunities for human error, particularly when users are not expecting authentication prompts.

3. Entra ID as a Central Identity Control Plane

Modern enterprise environments rely heavily on centralized identity platforms such as Microsoft Entra ID (formerly Azure Active Directory).

These platforms function as far more than simple user directories. They act as the central authority governing authentication, authorization, and trust relationships across multiple enterprise services.

Within Microsoft environments, Entra ID integrates with several critical components, including:

• Microsoft Intune, which manages and secures endpoint devices
• Privileged Identity Management (PIM), which controls administrative privilege elevation
• Conditional Access policies, which determine whether users and devices are trusted

When attackers gain Global Administrator privileges, they effectively gain broad control over these integrated systems.

This level of access can allow attackers to interact with administrative APIs, modify policies, and execute management actions across large numbers of devices.

4. The Role of Legitimate Administrative Tools

One of the reasons attacks of this nature can be difficult to detect is that they often rely entirely on legitimate administrative tools rather than malware.

In the Stryker incident, reports suggest that attackers used device management capabilities such as the Remote Wipe feature within Intune to issue commands across enrolled endpoints.

Because these commands were executed through valid administrative channels using authenticated credentials, many traditional security tools may treat them as legitimate activity.

This approach is often referred to as Living-off-the-Land (LotL), where attackers leverage built-in system capabilities instead of deploying custom malicious software.

As a result, the attack can bypass traditional detection methods that rely on identifying malicious files or suspicious processes on endpoints.

Why Healthcare and MedTech Companies Are Prime Targets

Several factors make healthcare and MedTech companies particularly attractive targets for cyber threats:

High-value intellectual property: Medical device manufacturers invest heavily in research and development. Product designs, clinical trial data, and manufacturing processes represent valuable intellectual property that can be targeted for industrial espionage or financial gain.

Complex and hybrid infrastructures: Healthcare technology companies typically operate hybrid IT environments that combine cloud platforms, legacy systems, and specialized operational technology (OT). This complexity often creates security gaps that attackers can exploit.

Operational sensitivity: Disruptions to healthcare technology companies can have cascading effects across hospitals, medical providers, and global supply chains. Attackers understand that operational downtime creates immense pressure to restore systems quickly, which can complicate incident response and increase the likelihood of ransom payments.

Large and distributed workforces: Global MedTech organizations manage thousands of employees, contractors, and partners accessing corporate systems from various devices and locations. This distributed access model increases reliance on identity and endpoint management infrastructure, widening the available attack surface.

The Stryker incident highlights a shifting trend: attackers are increasingly targeting the systems that manage devices and identities rather than attacking the medical devices themselves.

Why Employees Were Asked to Unenroll Devices

In the wake of the attack, employees were reportedly instructed to remove enterprise management profiles from their devices, including those associated with Microsoft Intune.

Why would IT teams do this?

When attackers gain control of device management infrastructure, they can potentially:

• Push malicious configurations
• Deploy destructive scripts or wipe commands
• Lock users out of devices
• Exfiltrate corporate data
• Spread lateral attacks across endpoints

Because device management platforms control large fleets of corporate and BYOD devices, they can become a single point of failure if compromised.

The Rise of Management Layer Attacks

Cyber attackers are increasingly shifting their focus from individual devices to centralized control systems. Rather than infecting thousands of endpoints one by one, attackers aim to compromise:

• Identity systems
• Cloud administration consoles
• Endpoint management platforms
• Infrastructure orchestration tools

Once attackers gain privileged access to these systems, they can perform actions that would otherwise require months of lateral movement within a network. In many cases, the damage is not caused by malware running on endpoints, but by legitimate administrative commands executed through trusted management tools.

Responding to a Compromised Device Management System

When attackers gain control of endpoint management infrastructure, the incident response strategy must shift dramatically from traditional malware containment procedures. Unlike typical breaches involving isolated infected devices, a compromised management platform allows attackers to execute commands across an entire fleet from a single centralized console.

Because of this, response actions must prioritize regaining control of the management and identity layers before attackers can issue further malicious commands. Security teams should focus on several critical steps during the initial response phase:

Immediate identity lockdown: The first priority is securing the identity infrastructure linked to the device management platform. All administrative credentials associated with the tenant including global administrators, service accounts, and automation credentials should be immediately revoked and reissued.

Temporary suspension of high-risk commands: Organizations should consider temporarily restricting high-impact administrative actions until access is verified. Commands such as remote wipes, configuration pushes, certificate deployments, and application installations can cause widespread disruption if misused by an adversary.

Tenant-level audit investigation: Comprehensive audit logs from identity platforms and management consoles must be reviewed to reconstruct the attacker’s activity. Security teams should determine which administrative accounts were compromised, what commands were executed, and which specific devices or users were affected.

Device re-enrollment planning: If management profiles or trust relationships are compromised, organizations may need to remove existing profiles and re-enroll devices into a newly secured environment. This ensures devices reconnect to a “clean” infrastructure rather than remaining tied to compromised configurations.

Clear employee communication: Employees need specific guidance on securing their devices during recovery. This may include instructions for removing profiles, resetting credentials, or verifying app safety. Transparent communication reduces confusion and prevents users from unknowingly interacting with compromised systems.

Organizations that maintain documented incident response playbooks specifically for management-layer compromises are far better prepared to contain these attacks. As the Stryker incident illustrates, when centralized infrastructure is targeted, a rapid and coordinated response is the only way to limit cascading damage.

Lessons for IT and Security Teams

The Stryker incident highlights several important best practices for organizations managing large fleets of endpoints.

1. Secure Your Device Management Infrastructure

Device management platforms should be protected with:

• strict access controls
• multi-factor authentication
• network segmentation
• continuous monitoring

2. Minimize Privileged Access

Limit administrative privileges to only essential users and ensure role-based access controls are enforced.

3. Monitor Endpoint Commands

Security teams should track high-risk commands such as:

• device wipe
• configuration changes
• certificate deployment

Unexpected spikes in these actions may signal compromise.

4. Maintain Emergency Response Plans

Organizations should have playbooks that include:

• rapid device unenrollment
• credential revocation
• endpoint isolation
• alternate access methods

5. Strengthen Endpoint Visibility

Real-time monitoring and automated alerts are essential for identifying suspicious activity before it spreads across devices.

How Hexnode UEM Is Built Around This

The lessons from recent cyber incidents reinforce a critical architectural principle: a UEM platform must be built with layered checks and balances.

At Hexnode, our philosophy is that device management should empower IT at scale without creating a single point of catastrophic failure. Here is how our platform is structured to mitigate high-level administrative risks:

1. Atomic RBAC (Role-Based Access Control)

A compromised admin password should never equate to a total network wipe. Hexnode utilizes Atomic RBAC, allowing organizations to define access at a highly granular level. It works on three pillars:

Action-Based Granularity: You can strictly limit who has the permission to execute critical commands. A Tier-1 helpdesk technician might have permission to view a device, but the “Device Wipe” capability is strictly blocked.

Scope-Based Boundaries: Admins are locked into a specific jurisdiction (e.g., an admin for the Germany office is programmatically blocked from even seeing devices in the Americas).

Step-Up Authentication for Critical Actions: For high-risk, critical actions like executing a device wipe Hexnode forces the administrator to re-authenticate with 2FA. Even if an active session is hijacked, the attacker cannot execute destructive commands without the secondary physical token.

2. Selective Wipe and Containerization for BYOD

One of the most concerning aspects of the Stryker attack was the wiping of employees’ personal devices. Hexnode prevents this through strict BYOD containerization. If a wipe command needs to be executed on a BYOD device, Hexnode allows administrators to perform a Selective Wipe (or Corporate Wipe). This command only destroys the encrypted corporate workspace, leaving the employee’s personal photos, texts, and private apps completely untouched.

3. “Technician Shadow” and Audit Integrity

When malicious actions occur, visibility is your first line of defense. Hexnode maintains a forensic record of all administrative interactions, known as the Technician Shadow. Every command sent, policy changed, or device wiped is tracked back to a specific technician account with a precise timestamp. This provides the immediate visibility needed to identify compromised accounts before widespread damage occurs.

4. Continuous Zero Trust Enforcement

Hexnode acts as the endpoint enforcer for your Zero Trust architecture. Operating on the core principle of “never trust, always verify,” Hexnode ensures that access is not a one-time event based solely on a password. Instead, device posture and health are continuously verified. Even if a threat actor successfully compromises administrative credentials, Zero Trust principles ensure that the compromised identity cannot freely navigate the network or execute mass commands without continuous validation.

5. Attribute-Based Access Control (ABAC)

To operationalize this Zero Trust approach, Hexnode utilizes Attribute-Based Access Control (ABAC). Rather than just looking at a user’s static role, ABAC evaluates a dynamic combination of user attributes, device compliance states, and network conditions before granting access. If an attacker gains access to credentials but is attempting to execute commands from an unregistered device or an unapproved network location, the system acts as a strict logic gate to instantly block the intrusion.

The Takeaway

The Stryker cyberattack is a harsh reminder that our security tools are only as effective as the safeguards protecting them. It is time for organizations to audit their UEM configurations, tighten administrative access, and ensure that the platform protecting their network doesn’t become the ultimate vulnerability.