What the Stryker cyberattack teaches us

The major cyberattack carried out on medical technology company Stryker on March 11, 2026, has caused massive global disruption, with 56,000 employees impacted across 79 countries. It appears to have involved a destructive wiper-style attack.  

With early reporting suggesting the attack involved the compromise of Microsoft Intune, this has served as an alarming reminder of the vulnerabilities relating to cloud providers.

At this time, it appears that there is no risk of Stryker medical devices being compromised. There is no need to disconnect their devices; however, this is a good reminder to review your environment and confirm that the right security protocols are in place for optimal protection.

A new type of destructive attack

Instead of the normal method of deploying malware directly on endpoints, attackers may target the systems used to manage those endpoints.

Enterprise platforms like Microsoft Intune allow IT teams to remotely configure and manage devices at scale. Among their capabilities is the ability to remotely reset or wipe machines.

If attackers gain access to those administrative controls, they can issue commands that instruct devices to begin the reset process.

From the device’s perspective, this appears to be a legitimate administrative action—no malicious executable is required.

Adding additional safeguards around device management

While the investigation into the attack affecting Stryker is still ongoing, the possibility that device management infrastructure such as Microsoft Intune could be abused to initiate destructive actions highlights an important security consideration.

Modern operating systems rely on trusted device management components to process administrative commands. Under normal circumstances, these processes allow IT teams to deploy configuration changes, enforce compliance policies, and manage devices remotely.

However, because these components have powerful administrative capabilities, they also represent a potential attack path if management credentials or infrastructure are compromised.

To address this immediate risk, ThreatLocker has published a Community policy called "Block Intune Remote Wipe" that applies additional Ringfencing™ controls around key device management processes and the system configuration changes required to initiate a device reset, helping prevent unauthorized wipe actions even when legitimate management components are involved.

How to protect your organization from these attacks

1. Enforce strong access controls and verify devices.  

• Enforce Conditional Access rules that require MFA, device compliance, and named locations/IP ranges for access to M365, especially accounts with access to the Intune portal and Azure AD admin center. Stolen credentials from an unknown device must trigger a hard block, not a stepup prompt.

2. Apply least privilege and timebound administration.  

• Audit MDM role assignments regularly: Perform scheduled reviews of Intune RBAC assignments. Reduce or eliminate standing Global Administrator and Intune Administrator roles.  
• Use Privileged Identity Management (PIM) for justintime elevation with approval workflows.

3. Protect the management plane with infrastructure controls.

• Treat your MDM platform as critical infrastructure: Changes to Intune policy, role assignments, and enrollment scope should go through the same change-control processes as tier-one systems.  
• Standing access should be treated with the same (or more) scrutiny as domain admin.
• Prevent lateral movement from devices in your network to critical internal resources.

4. Maintain an accurate and monitored device ecosystem.  

• Maintain a device inventory aligned to your management scope: Regularly reconcile Intune-enrolled devices against your asset inventory.  
• Any device enrolled in MDM but missing from your tooling is an unmonitored execution point and potential attack surface.

5. Monitor and alert on highrisk management activities.

• Log and alert on Intune audit events: Monitor Intune audit logs via the portal or Graph API for role changes, bulk device actions, or policy updates outside approved change windows.

• Update your incident response plan: Include a dedicated IR playbook for unauthorized wipe commands or other malicious MDM actions.

The bottom line

This Stryker incident reminds us why Zero Trust is so important now. Whether it’s through malware deployment or abuse of administrative tools, attackers are always finding new avenues of attack. Keeping tight control over your environment is the best way to stay ahead.

Incidents like this show us how quickly cyberattacks can happen—and how widespread and destructive they can be.

The best cybersecurity approach is built on Zero Trust and deny-by-default principles. By limiting access to SaaS applications by hardware, blocking unauthorized software, and tightly controlling how trusted processes behave, organizations can ensure that even when attackers find new paths, damage can be contained.