On the morning of March 11, 2026, employees at Stryker offices across 79 countries turned on their computers and found them blank. Login screens had been replaced with the logo of a barefoot boy holding a slingshot — the signature of an Iran-linked hacktivist group called Handala. Those employees who had enrolled personal phones through Stryker's BYOD program found those wiped too. Not just corporate apps — everything. Photos, eSIMs, and the authenticator apps they used for their personal banking.
The investigation that followed found something that should make every leader running Microsoft 365 pause: no malware was deployed. No software vulnerability was exploited. No zero-day was involved. The attackers used a legitimate tool that Stryker's IT team had deployed and trusted — Microsoft Intune — to issue a remote wipe command to every enrolled device simultaneously.
How it happened
According to sources familiar with the incident, the attackers gained access to Stryker's Microsoft environment through a compromised administrative account. Once inside, they created a new user with Global Administrator privileges — the highest level of access in a Microsoft 365 tenant — effectively giving themselves full control of the environment. From there, they authenticated to the Microsoft Intune administrative console and issued an enterprise-wide remote wipe command.
Remote wipe is a legitimate, intended feature of Microsoft Intune. It exists so IT teams can erase data from lost or stolen devices — a critical capability for any organization managing a distributed device fleet. That same capability, in the wrong hands, becomes a single command that destroys an organization's entire device estate.
The attack executed between 05:00 and 08:00 UTC. From first command to global completion: three hours. The entire global workforce arrived at work to find nothing.
The BYOD problem nobody anticipated
What made Stryker's incident particularly damaging was the scope of the BYOD enrollment program. Employees who had connected personal devices to access corporate email and applications had, in doing so, enrolled those devices in Intune management. The remote wipe command followed the MDM enrollment wherever it reached — including to personally owned phones that employees had no reason to expect were at risk.
One employee in Australia described colleagues losing their personal devices along with the two-factor authentication app that was their only path back into corporate accounts. The recovery cascade — rebuilding devices, resetting credentials, re-enrolling in MFA — took weeks.
This is the hidden risk in BYOD programs that security teams often underestimate. BYOD enrollment gives IT teams the ability to wipe a device if it's lost or the employee is terminated — a capability most employees understood when they enrolled. What they didn't fully understand was that the same capability could be invoked at scale if the admin console was compromised. Intune BYOD policies that grant full-device wipe authority create a blast radius that extends far beyond the corporate estate.
What this means for your Microsoft environment
The Stryker attack is not a story about Stryker. It's a story about the control plane — the administrative layer that sits above every device, every user, every application in a Microsoft 365 environment. If someone controls the control plane, they control everything beneath it. And control plane access is protected by exactly one thing: the security posture of your administrative accounts.
A Global Administrator account protected only by a username and password — even a strong one — is not sufficient. Passwords get phished. Credentials get purchased. MFA bypass attacks are increasingly sophisticated. The question isn't whether your admin accounts are protected today; it's whether they're protected against the attack that hasn't happened yet.
Privileged Identity Management (PIM): Requires admin roles to be explicitly activated for a limited time window, with justification, rather than being permanently assigned. An attacker who compromises an account with a permanently assigned Global Admin role has unlimited time to act. PIM creates a narrow window and an audit trail.
Multi-person approval for destructive actions: Intune and other modern MDM platforms support requiring multiple administrator approvals for destructive actions like enterprise wipe. No single account should be able to wipe the entire device fleet unilaterally.
Phishing-resistant MFA (FIDO2): Standard authenticator app MFA can be bypassed through real-time phishing attacks. Hardware security keys or FIDO2 passkeys are resistant to this class of attack.
Conditional Access for admin roles: Require admin functions to be performed only from managed, compliant devices at known locations — not from a laptop at a coffee shop or from an IP address that doesn't match known admin locations.
BYOD policy with work profile isolation: Configure BYOD enrollment to manage only the work profile on personal devices, without granting full-device wipe authority over personal data.
Out-of-band communication channel: When the primary communication infrastructure (Teams, email) is wiped, you need an alternative. Establish it before the incident, not during.
The lesson that applies to every firm
Stryker is a $20 billion medical device company with a global IT organization. The controls that would have prevented this attack aren't expensive. They're configuration decisions available in every Microsoft 365 tenant. The gap wasn't budget — it was a risk assessment that didn't treat the administrative control plane as the highest-value target in the environment.
For a regulated professional services firm — an RIA, a law firm, a healthcare practice — the attack surface is smaller but the consequences are just as severe. A compromised Global Admin account that issues a wipe command to your 50 enrolled devices, including the personal phones of your advisors or attorneys, is an existential event. The recovery isn't just technical. It's operational, reputational, and regulatory simultaneously.
The right question isn't "could this happen to us?" The right question is: "what would the blast radius be if someone got admin access to our Microsoft tenant today — and what have we done to limit it?"