What happened
On March 11, 2026, the Iran-linked Handala threat group used compromised Microsoft Entra ID Global Admin credentials to access Stryker Corporation's Microsoft Intune endpoint management environment and issue device wipe commands across the company's global device fleet.
Public reporting indicates between 80,000 and 200,000 devices were wiped across 79 countries. Employees across Stryker's offices in those countries arrived to wiped or non-functional devices on March 11 and 12. Stryker took systems offline for containment and published customer-facing updates about the network disruption on March 15.
The attack required no malware and no zero-day exploit. It used legitimate administrative tooling abused at scale. Seven days after the attack, CISA issued an alert urging US organizations to harden their endpoint management system configurations. On April 7, 2026, CISA, in coordination with FBI, NSA, DOE, EPA, and US Cyber Command, issued a broader joint advisory on Iran-linked cyber activity targeting US critical infrastructure that cited the Stryker incident as a representative case.
The IAM control that failed
Four control failures compounded into one of the most consequential identity incidents on record.
Standing Global Admin privileges with tenant-wide blast radius. The compromised account possessed Microsoft Entra ID Global Admin permissions, which grant unrestricted control over the entire Microsoft environment, including Intune. CISA's response advisory explicitly emphasizes the principle of least privilege. Standing Global Admin permissions are rarely necessary for day-to-day operations but create catastrophic risk when compromised. Microsoft's own guidance is to keep this number small (typically fewer than five) and use Privileged Identity Management for just-in-time elevation rather than standing assignments. The number of standing Global Admin accounts in the Stryker tenant at the time of the attack is not in the public record.
Authentication on the Global Admin account did not survive an adversary-in-the-middle phishing attack. As with the Hims and Hers case, MFA factor type matters. Phishing-resistant authentication (FIDO2/WebAuthn) defeats this pattern. Push, SMS, and code-based MFA do not. The specific MFA factor in use at Stryker is not in the public record, but the success of the attack tells the story.
Absence of multi-admin approval for destructive operations. Microsoft Intune supports a multi-admin approval workflow for high-impact actions, including tenant-wide device wipes. With this control enabled, no single administrator can execute a destructive operation at scale without a second administrator's authorization. CISA's advisory explicitly recommends this control. Public reporting indicates it was not in place at the time of the attack.
Conditional access scoping for privileged actions. The administrative actions were executed from outside the contexts where they would normally be expected. Strong conditional access policies for privileged accounts (requiring privileged access workstations, specific network locations, or elevated authentication for destructive operations) would have constrained the attacker's ability to execute the wipe at scale. The specific conditional access posture at Stryker is not in the public record.
What a competent IAM program would have caught
Privileged account governance that keeps standing Global Admin to single digits, with just-in-time elevation through Privileged Identity Management for the rest, removes most of the attack surface. The compromised credential would have granted access to a much smaller blast radius.
Phishing-resistant authentication on every privileged account closes the access vector. FIDO2/WebAuthn hardware-bound authenticators do not relay through attacker-controlled phishing pages.
Multi-admin approval on high-impact Intune operations transforms a single-credential compromise into a two-credential requirement for destructive action. The attacker would have needed a second compromised admin to complete the wipe, which is materially harder.
Conditional access policies that scope privileged actions to known contexts (PAWs, defined network locations, elevated authentication) shrink the operational surface where a compromised credential can act. Attempts to execute tenant-wide actions from unexpected contexts trigger blocks or step-up challenges.
Each of these is a documented Microsoft-recommended control. None of them is novel. The pattern across the four failures is the same: standard controls existed and were not implemented.
Open questions
The specific MFA factor type in use at Stryker on the compromised Global Admin account is not in the public record.
The full number of Global Admin accounts in the tenant at the time of the attack is not disclosed.
The specific conditional access policies in place for privileged accounts have not been described publicly.
How the compromised credentials were obtained is described as adversary-in-the-middle phishing, but the specific lure and delivery vector is not fully disclosed.
The full operational and financial impact has not been quantified publicly by Stryker.
What this means for your program
Five questions to take to your IAM team this week.
How many standing Global Admin accounts do we have in our Entra ID tenant, and is that number defensible? Microsoft's guidance is fewer than five, with Privileged Identity Management for just-in-time elevation rather than standing assignments.
Is multi-admin approval enabled for high-impact Intune operations, particularly tenant-wide device wipe? If not, what is the path to enabling it, and what is the timeline?
What MFA factor type is enforced on every privileged account in our environment? If we are not using phishing-resistant authentication (FIDO2/WebAuthn) on privileged accounts, what is the remediation plan and the timeline?
Do our privileged accounts access administrative tooling from privileged access workstations, or from the same devices and identities used for everyday work? What conditional access policies enforce that separation?
If a Global Admin account were compromised today, what is the blast radius? What destructive operations could a compromised account execute without a second approver? What detection do we have for unusual administrative actions, and how fast would we respond?
Sources
See the sources block in this teardown's frontmatter for the canonical reference list. Primary sources for the analysis above: CISA Alert of March 18, 2026 on the Stryker incident; CISA Joint Advisory AA26-098A of April 7, 2026 on Iran-linked critical infrastructure activity; Stryker Corporation's own customer communications; and named technical analysis in Security Boulevard and at Glueckkanja.