Skip to content
Tech News
← Back to articles

CISA urges US orgs to secure Microsoft Intune systems after Stryker breach

2026-03-19 | original
read original get Microsoft Intune Security Kit β†’ more articles
Why This Matters

The recent Stryker breach highlights the critical need for organizations to strengthen their endpoint management security, especially when using tools like Microsoft Intune. As cyberattacks become more sophisticated, safeguarding administrative controls is essential to prevent data theft and device wipeouts that can disrupt operations and compromise sensitive information. This incident underscores the importance for the tech industry and consumers to adopt robust security practices to mitigate similar threats.

Key Takeaways

CISA warned U.S. organizations to follow Microsoft guidance to strengthen the Intune endpoint management tool after a cyberattack exploited it to wipe medical technology giant Stryker's systems.

Microsoft published guidance on hardening Intune administrative controls days after Stryker was breached in an incident claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group.

The hackers claim that they stole 50 terabytes of data before using the built-in wipe command in Microsoft's Intune cloud-based endpoint management tool to wipe nearly 80,000 devices in the early morning of March 11.

As BleepingComputer was told by a source familiar with the incident, they carried out the attack using a new Global Administrator account created after compromising an administrator account.

Now, CISA urged all U.S. organizations to harden their Intune environments to make them more resilient against similar attacks that could target their own networks.

"CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment," the U.S. cybersecurity agency said on Wednesday.

"To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert."

CISA's list of recommendations applies to Microsoft Intune and other endpoint management software, and it requires IT administrators to use a least-privilege approach for admin roles, assigning only the necessary permissions through Microsoft Intune's role-based access control (RBAC).

Admins should also enforce MFA and privileged-access hygiene to block unauthorized access to privileged actions in Intune (via Microsoft Entra ID features such as Conditional Access, risk signals, and MFA) and require multi-admin approval for changes to sensitive actions, such as device wipes, application updates, and RBAC modifications.

"When combined, these practices help you shift from relying on 'trusted administrators' toward building a more protected administration by design: least-privilege to contain impact, Microsoft Entra-based controls to ensure users are trusted and are who they say they are, and multi-admin approval to govern the changes that matter most," Microsoft says.

... continue reading

Explore topics: cisa microsoft intune stryker handala endpoint management
Related:
Critical Microsoft SharePoint flaw now exploited in attacks
CISA orders feds to patch Zimbra XSS flaw exploited in attacks
Stryker says it’s restoring systems after pro-Iran hackers wiped thousands of employee devices
Stryker attack wiped tens of thousands of devices, no malware needed
CISA flags Wing FTP Server flaw as actively exploited in attacks

© 2026 GoKawiil

About | Editorial Policy | Contact