Security Analysis · March 2026

What Happened to Stryker?
Lessons from a Global Cyberattack on Microsoft Infrastructure

In March 2026, Stryker Corporation suffered a major cyberattack that disrupted operations globally — wiping corporate devices and forcing thousands of employees offline via compromised Microsoft infrastructure.

⚠ Active threat pattern By Erik Parn 12 March 2026 7 min read

In March 2026, attackers wiped thousands of corporate devices inside Stryker's Microsoft environment — not with malware, but using legitimate administrative tools. The medical technology giant's operations were disrupted globally, forcing thousands of employees offline within hours.

Early reports indicate the attack was carried out by a group claiming affiliation with a pro-Iranian hacking collective. The attackers allegedly wiped large numbers of corporate devices and caused widespread disruption across Stryker's Microsoft-based infrastructure.

While investigations are still ongoing, the incident provides a clear example of how modern enterprise environments can be disrupted when identity and device management systems are compromised.

Understanding how attacks like this happen is important for any organisation relying on Microsoft 365, Entra ID, or Intune — regardless of size. According to Microsoft, identity-based attacks now represent the majority of enterprise breaches. The Stryker incident is a high-profile example of exactly that pattern.

What was affected

Employees reported across Stryker's environment:

  • Corporate laptops became unusable
  • Some company phones were remotely wiped
  • Internal systems and applications were unavailable
  • Employees were told to disconnect devices from the network
  • Attacker messages appeared on screens before devices lost access

Why it matters

This type of attack does not require traditional malware. Attackers used legitimate enterprise administration capabilities to issue destructive commands at scale.

  • No custom malware needed — only admin access
  • A single admin account can affect thousands of devices
  • Actions mimic normal administration, evading alerts
  • Microsoft Intune can wipe endpoints in seconds
  • Smaller organisations have fewer protections in place

How the attack unfolded

The typical attack chain

While the exact entry point at Stryker has not been publicly confirmed, incidents of this type follow a well-documented pattern.

1
Identity compromise

An attacker gains access to an administrator account via phishing, credential reuse, token theft, or malicious OAuth application consent. Once in, the attacker effectively becomes a legitimate administrator inside the environment.

2
Privilege escalation

If the initial account lacks full control, attackers move toward higher-privilege roles — Global Administrator, Intune Administrator, or Privileged Role Administrator. At this point, tenant-wide control is within reach.

3
Abuse of legitimate tools

Rather than deploying malware, attackers use built-in platform features: issuing remote wipe commands through Intune, pushing scripts to managed devices, disabling security policies, and creating backdoor admin accounts. These actions look like normal administration.

4
Large-scale disruption

With control of identity systems or device management, an attacker can disrupt the entire organisation in minutes. A single command in Intune can wipe thousands of endpoints simultaneously — which appears to be precisely what happened at Stryker.

⚠️

Why identity is now the primary target. If attackers gain control of Microsoft Entra ID, Intune, or Microsoft 365 administrative roles, they effectively control the organisation. Traditional perimeter defences provide no protection against this. Identity protection and privileged access controls are now critical security requirements — not optional extras.

Technical detail

How Intune makes mass destruction possible

In environments using Microsoft Intune, an administrator can issue a remote wipe command to any managed endpoint through the Intune portal or via the Microsoft Graph API. If an attacker gains access to an Intune Administrator or Global Administrator account — through phishing, token theft, or credential reuse — a single command can remove corporate data from thousands of devices within minutes. No malware required. No network access needed. Just a legitimate admin action executed at scale.

This is precisely why privileged role assignments in Microsoft 365 are now a primary attack target. The blast radius of a single compromised admin account has never been larger.

Attack flow

Phishing / credential theft
Entra ID compromise
Admin role obtained
Intune device control
Mass endpoint wipe

Could this happen to you?

Could the Stryker attack happen in Microsoft 365 environments?

Many organisations assume these incidents only affect large enterprises. In reality, smaller companies often have fewer protections in place — and are actively targeted because of it. The Microsoft 365 administrative features that allowed attackers to wipe Stryker's devices are present in every M365 tenant, regardless of company size.

  • Too many Global Administrators — each one is a potential entry point
  • Permanent privileged roles instead of just-in-time access via PIM
  • Missing or weak Conditional Access policies
  • Legacy authentication protocols still enabled
  • No monitoring or alerting on administrative actions
  • Unused or unreviewed admin accounts still active

These gaps can allow an attacker to take full control of an environment within minutes of compromising a single account.

Recommended controls

How to reduce the risk in your tenant

🔑
Phishing-resistant MFA Enforce for all administrators. Password-only access is not sufficient.
Privileged Identity Management Replace permanent admin roles with just-in-time access via PIM.
👥
Limit Global Admins Most tenants need two at most. Audit and remove unnecessary assignments.
🛡
Conditional Access Restrict sign-in by device compliance, location, and risk level.
📋
Admin activity monitoring Alert on unusual administrative actions across M365 and Intune.
🚫
Disable legacy authentication Block protocols that bypass MFA entirely. A common and avoidable gap.

Get a Microsoft 365 security review

If your organisation relies on Microsoft 365, you should verify that a compromised administrator account could not trigger a tenant-wide incident. A Microsoft 365 tenant security review identifies configuration gaps that allow attackers to escalate privileges or issue destructive administrative commands. Email incident@iterik.ie or use the form below.

Typical review cost: €299 for small tenants.

Related