[ B L O G ]
When Your IT Tools Become the Weapon: Lessons from the Stryker Attack
Bogotá, Colombia – March 24, 2025.
On the morning of March 11, 2026, employees at Stryker Corporation offices across 79 countries turned on their computers and found them blank. Login screens had been replaced with the logo of a barefoot boy holding a slingshot — the symbol of Handala, an Iran-linked hacktivist group. Within hours, one of the world’s largest medical technology companies had been brought to a standstill.
This was not a ransomware attack. No malware was deployed. The attackers didn’t need any.
The threat actor used the wipe command in Intune, Microsoft’s cloud-based endpoint management service, to erase data from nearly 80,000 devices between 5:00 and 8:00 a.m. UTC on March 11. The attack was carried out after compromising an administrator account and creating a new Global Administrator account.(Source: BleepingComputer)
Stryker confirmed the incident, describing “a global network disruption to our Microsoft environment as a result of a cyberattack,” stating they had no indication of ransomware or malware and believed the incident was contained. The reality was far more severe.
The Attack, Explained
Microsoft Intune is a cloud-based platform that enables organizations to manage their entire device fleet from a single web console. When an organization enrolls a device in Intune — whether a corporate laptop or a personal phone, through a BYOD program — that device trusts Intune as an authority. An attacker with admin-level access effectively has a kill switch for every enrolled endpoint in the organization, with no custom malware required. This feature is used to enforce the user and device lifecycle. If a user leaves the organization or loses a device, an Intune administrator can remove sensitive organizational resources and data from the device, ensuring they do not fall into the wrong hands.
Many employees had enrolled in their personal phones through Stryker’s BYOD program, which meant those devices were also managed by Stryker’s IT systems — and factory reset too, wiping not just corporate apps but everything: photos, eSIMs, and the authenticator apps employees relied on for personal banking. (Source: Lumos)
And the damage didn’t stop at endpoints. Investigators found that the attackers also compromised Stryker’s Rubrik environment and destroyed the backups before executing the wipe — and Rubrik is an immutable backup platform specifically built so backups cannot be deleted or modified.
The Department of Justice formally attributed the attack to Iran’s Ministry of Intelligence and Security (MOIS). The FBI seized four Handala domains. Hours later, Handala launched replacement infrastructure and mocked the seizure on Telegram. The State Department is offering $10 million for information on the perpetrators. (Source: State of Surveillance)

This Is a Geopolitical Threat — and It's Not Over
Handala cited Stryker’s 2019 acquisition of OrthoSpace, an Israeli medical technology company, as the basis for targeting the firm. The message is explicit: any organization with business ties to Israel — acquisitions, partnerships, shared customers, investment relationships — is a potential target. (Source: 7AI)
At the time of this writing, military action against Iran is ongoing, and Iran has issued threats of retaliation that are expected to include further cyberattacks on U.S. and allied companies. (Source: HIPAA Journal)
Handala’s recent activity shows a deliberate focus on supply-chain footholds — targeting IT service providers and managed service providers to reach downstream victims. (Source: KrebsOnSecurity)
If your organization operates in North America, Latin America, or Europe — this threat is directly relevant to you.
CISA Has Spoken. The Clock Is Ticking.
CISA has issued an urgent alert for all organizations to harden their endpoint management configurations using Microsoft’s newly released best practices for securing Microsoft Intune. (Source: CISA)
The three pillars CISA identified are not future capabilities. They exist today, inside your Microsoft 365 tenant. They just need to be configured:
Least-Privilege Role Design (RBAC)
Leverage Microsoft Intune’s role-based access control to assign the minimum permissions necessary to each role — including what actions it can take and which users and devices it can affect — reducing the blast radius in the event of a compromised account.
Phishing-Resistant MFA + Privileged Access Hygiene
Use Microsoft Entra ID capabilities — Conditional Access, MFA, risk signals, and privileged access controls — to block unauthorized access to privileged actions. Standard MFA is no longer sufficient. Phishing-resistant methods like FIDO2 keys or certificate-based authentication are the new baseline for any admin account.
Multi Admin Approval
For Destructive Actions Configure policies that require a second administrator’s approval for high-impact actions such as device wiping, application deployment, RBAC changes, and script execution. This single control, had it been active at Stryker, would have stopped the mass wipe.
Synergy Advisors’ Perspective: A Strategic Response, Not Just a Technical Fix
At Synergy Advisors, we have spent years working alongside organizations across North America, Latin America, and Europe as a Microsoft strategic partner — implementing, optimizing, and securing Microsoft environments every day.
Unfortunately, the Stryker attack is not a surprise to us. It is the inevitable consequence of a gap we see consistently: organizations that have adopted powerful Microsoft tools but have not matched that adoption with the governance, identity controls, and security architecture those tools demand.
This is not a story about Microsoft Intune being insecure. It is a story about what happens when enterprise-grade power is left in the hands of inadequately protected identities. And that problem lives in almost every Microsoft tenant we have ever audited.
Here is what a strategic response looks like — and what we help our clients build:
Entra ID Privileged Identity Management (PIM)
Eliminating Standing Privilege The most dangerous word in enterprise security is “permanent.” Permanent admin roles mean that a single stolen credential is immediately a global kill switch. With PIM, roles like Global Administrator, Intune Administrator, and Exchange Admin are not permanently assigned — access is requested, time-limited, requires business justification, and triggers an approval workflow. Even a fully compromised credential cannot escalate to destructive action without alerting a second administrator. This is the control Stryker did not have, and it is available to every Microsoft 365 customer today.
Zero Trust Identity Architecture
Never Trust, Always Verify A modern Microsoft environment should treat every access request as potentially hostile — regardless of whether it originates inside the corporate network. We design Conditional Access policies that evaluate device compliance, geographic location, sign-in risk scores, and behavioral signals in real time. Anomalous activity triggers step-up authentication or blocks access entirely, before damage is done. Zero Trust is not a product you buy — it is an architecture you build
Intune Security Baseline & Governance Hardening
Many organizations discover, during our initial conversations, that their Intune environment was configured for convenience rather than security: broad admin scopes, no scope tags, no Multi Admin Approval, no device compliance gates — each one a potential attack path. We conduct structured reviews against Microsoft’s security baselines and CISA’s hardening guidance, then implement RBAC segmentation, Multi Admin Approval policies, and device compliance requirements systematically
Microsoft Sentinel
Visibility Before It’s Too Late the Stryker attack succeeded in part because anomalous activity was not detected in time. A new Global Admin account was created in the middle of the night and mass wipe commands were issued before dawn, highly unusual for any organization. Microsoft Sentinel, properly configured, changes that equation. We implement Sentinel with custom detection rules tailored to your environment to discover unauthorized role elevation, bulk device management commands, suspicious sign-in patterns, and more. Our goal is not just to investigate after an incident — it is to give your team a fighting chance to respond while the attack is still in progress.
Supply Chain & Third-Party Risk
The Overlooked Exposure Handala’s documented strategy includes targeting IT service providers to reach downstream clients. If you work with external technology partners — and virtually every enterprise does — your security posture is also a function of your partners’ security posture. We help clients define and enforce security requirements for third-party access to their Microsoft environments, including scoped service accounts, conditional access for external identities, and regular access reviews.
Security Awareness & Incident Readiness
Technical controls are only as strong as the people operating them. We work with organizations to build phishing-resistant cultures through targeted simulations, role-specific awareness programs, and admin and end user trainings that test your incident response before the real scenario arrives.
The Question to Ask Your Team Today
If an attacker compromised one of your Global Administrator accounts tomorrow morning — at 3:30 AM, while your team is asleep — how many devices could they wipe before anyone noticed? How much approval would it require? How long before your first alert fires?
Many organizations believe they already have strong control. The real-world configuration, however, often tells a different story: broad roles, exception paths, stale accounts, and approval workflows that are incomplete or untested. (Source: Windows Forum)
CISA is working with the FBI to determine whether other organizations face similar exposure. This is not hypothetical. It is an active, escalating threat — and the window to act before you become the next case study is open right now.
Is your Microsoft environment built to withstand this kind of attack?
The Stryker incident is a reminder that cybersecurity is not a background function — it is a strategic imperative. The controls that could have prevented this attack are not exotic or out of reach. They are already inside your Microsoft 365 tenant, waiting to be properly configured, governed, and monitored.
At Synergy Advisors, our team of Microsoft-certified experts works with organizations across North America, Latin America, and Europe to design and implement security architectures that are resilient by design — not by luck. Whether you are starting from scratch or looking to strengthen what you already have, we bring the technical depth, the strategic vision, and the hands-on experience to get it done right.
The question is not whether a threat like this could reach your organization. The question is whether your environment is ready when it does.
Build a Secure, Governed, and Future-Ready Microsoft Environment with Expert Guidance
Leverage the expertise of our specialists to design, implement, and optimize a Microsoft environment that is secure, well-governed, and ready to face today’s evolving threats. From strategy to execution, we help you strengthen your security posture, ensure compliance, and stay one step ahead with a proactive, expert-led approach.

Author

Nicolas Alarcon
Marketing Coordinator