The threat involves attackers compromising Microsoft Intune, an endpoint management system, to perform administrative actions such as wiping employee devices, as demonstrated in an Iran-linked attack against Stryker. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert urging organizations to follow Microsoft's best practices, specifically implementing least-privilege principles and role-based access controls within Intune to limit administrative permissions.
Cyber-crime 1 Lock down Microsoft Intune, feds warn after Stryker attack 1 Iran-linked attackers wiped employees' devices using Intune Jessica Lyons Thu 19 Mar 2026 // 16:00 UTC The US government has urged companies to better secure Microsoft Intune, an endpoint management tool that was abused in last week's cyberattack against med-tech firm Stryker. Handala, a group linked to Iran's intelligence agency , claimed responsibility for the attack , which knocked some of the surgical equipment maker's networks offline and continues to affect shipping and ordering systems. Stryker has publicly said the attack affected its Microsoft environment, and a source familiar with the investigation confirmed to The Register that the attackers wiped employees' devices using Intune. Microsoft to date has declined to comment. In a Wednesday security alert, the US Cybersecurity and Infrastructure Security Agency (CISA) said it is "aware of malicious cyber activity targeting endpoint management systems of US organizations" following the Stryker intrusion, and urged companies to follow Microsoft's best practices for securing Intune. Redmond published this guidance three days after the cyberattack. Iran's cyberattack against med tech firm is 'just the beginning' Iran-linked cyber crew says they hit US med-tech firm Cybercrime isn't just a cover for Iran's government goons - it's a key part of their operations Another massive security snafu hits Microsoft, but don't expect it to stick Among the recommendations: Use principles of least privilege when designing administrative roles. This can prevent someone who has breached Intune – as appears to be the case in the Stryker intrusion – from creating new admin accounts and using these to control employees' access to internal systems and perform wipe commands. Companies should use Intune's role-based access controls to assign only the minimum permissions necessary to each role for complete day-to-day operations. ® Share More about Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft More like these × More about Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft Security Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Federal government of the United States More about Share 1 COMMENTS More about Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft More like these × More about Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft Security Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Federal government of the United States TIP US OFF Send us news