On March 11, a Fortune 500 medical device company had its entire IT environment wiped. This wasn’t caused by ransomware or a rare zero-day exploit. Instead, an Iran-linked group called Handala somehow gained access to Stryker’s Microsoft Intune admin credentials and triggered a remote wipe. Over 200,000 devices in nearly 80 countries were erased at once—laptops, phones, servers, and even personal devices enrolled through BYOD. The attackers also defaced Entra login pages with their logo. Stryker reported the incident to the SEC the same day. It was a nightmare scenario.
There was no malware involved, and no firewall appears to have been breached in the usual way. The attackers gained privileged access to a central identity and device management console and used its legitimate admin features to carry out the attack. Every action looked like it came from an authorized administrator. Take a moment to let that sink in, then keep reading.
This is exactly the kind of scenario I described in my recent paper, “Identity as the Security Control Plane: Why 2025 Was the Year We Finally Admitted the Network Isn’t in Charge Anymore.” The Stryker incident isn’t a rare exception—it’s proof of my main point, demonstrated by an attacker in real time. Not exactly the validation I wanted.
Identity Is the Battleground. Stryker Proves It.
We’ve spent years strengthening network perimeters, adding endpoint detection tools, and running phishing simulations—and we still need to do those things. But attackers have changed tactics. They no longer need to break down our defenses if they can use valid credentials to get in. Stryker is the latest example. The attackers didn’t exploit a flaw in Intune; they took over a Global Administrator account and used a built-in feature to wipe devices. This is what ‘living off the land’ means when your identity infrastructure is the target. Endpoint detection tools won’t easily catch a legitimate remote wipe command from an authorized admin console. Even if you monitor for it, the alerts can quickly become overwhelming. This attack happened entirely within the identity layer.
In 2025, credential-based attacks made up 22% of all breaches, surpassing every other way attackers first get in. Identity-based attacks increased by 82% year over year. The pattern is clear: attackers steal credentials, use trust relationships, move laterally with legitimate access, and carry out their attack while pretending to be authorized users. That’s exactly what happened to Stryker. In this case, it seems they skipped moving laterally and went straight for the main target, but we’ll learn more as details emerge.
Uncomfortable Questions
If you’re a CISO, the Stryker breach should make you pause and think. How many Global Administrator accounts do you have in your Microsoft environment? Are they protected with phishing-resistant MFA, or are you still using push notifications that can be tricked? Do you require more than one person to approve destructive actions like mass device wipes? Could one compromised account bring down your whole organization tomorrow? These are real questions now, not just hypotheticals.
The Stryker breach proved that a compromised identity can be more damaging than malware. No malicious code was needed. One key opened one door; the platform handled the rest. Stryker is a $25 billion company with 56,000 employees, yet their identity controls failed. Are you confident yours wouldn’t? Unless you invest carefully and stay focused, you probably shouldn’t be.
What You Should Be Doing About It
My full paper goes into these points in detail, but the Stryker breach highlights a few key recommendations. Use phishing-resistant MFA for every privileged account, or better, for everyone. FIDO2 passkeys and hardware security keys tie authentication to specific devices and require physical confirmation. Set up privileged access management with just-in-time elevation and require more than one person to approve major actions. No single account should be able to wipe out all devices without oversight. If one compromised admin credential can wipe 200,000 devices, those controls are missing or not set up for this situation. Both issues can be fixed.
Many of us have seen MDM and UEM platforms as just operational tools, not as critical as domain controllers or identity providers. That thinking has to change. The Stryker attack showed that device management platforms are a central control point. If attackers get in, these platforms can be turned into powerful weapons.
Focus on building identity-aware resilience. Backup infrastructure credentials must live in a separate identity domain. If your backup admin accounts are in the same Entra ID tenant that was compromised, your recovery plan won’t work.
The Bigger Picture
The world is unsettled, and Stryker was targeted by a nation-state actor as a geopolitical statement. But the mechanism, identity compromise leading to administrative abuse, is identical to what financially motivated criminals and ransomware operators use all the time. Geopolitics is the headline. Identity failure is the lesson.
We’ve reached a turning point. Identity is now the real control plane for security, whether we’ve invested in it or not. The Stryker breach is a clear reminder of the difference between understanding this and actually putting it into practice.
I wrote the full paper because CISOs need a practical, evidence-based framework to move toward identity-first security. It covers topics like phishing-resistant MFA, building identity-aware resilience, simplifying detection, managing vendor risk, and governing AI and SaaS. If the Stryker case makes you think you have work to do, you probably do. Read the paper and start making changes.
Focus on real solutions. Strengthen your defenses where attacks are actually happening.
A Note on the Use of AI in This Document
This document, its outline, opinions, and initial verbiage were created manually. AI tools were used in editing, research, and refinement of this document for readability.
