Iran-linked hacktivist group Handala compromised a Stryker administrator account, created a rogue Global Administrator in Microsoft Entra ID, then issued mass wipe commands through Microsoft Intune — destroying approximately 80,000 managed devices in under three hours. No malware was deployed; the attacker weaponized legitimate endpoint management tooling. The incident exposes a critical and replicable threat vector for any enterprise running cloud-based MDM or UEM platforms.
Between 05:00 and 08:00 UTC on March 11, 2026, an attacker with compromised Global Administrator credentials used Microsoft Intune’s native wipe command to erase data from approximately 80,000 Stryker-managed devices. The attack required no custom malware, no exploited CVE, and no persistence mechanism beyond the initial credential compromise. This is a textbook living-off-the-land (LotL) destructive operation: the threat actor turned the organization’s own endpoint management infrastructure into a weapon. The Intune wipe command — a legitimate administrative function designed for device lifecycle management and lost-device scenarios — executed exactly as intended. The tooling worked perfectly. That is the problem.
The attacker’s operational sequence matters for detection engineering. They first compromised an existing administrator account, then created a new Global Administrator account before executing the wipe campaign. This two-step escalation — compromise, then create a persistent privileged identity — is a common pattern in cloud identity attacks. The creation of a net-new Global Administrator account should have generated high-fidelity alerts in any mature identity monitoring program. Microsoft Sentinel, Entra ID audit logs, and Privileged Identity Management (PIM) all have detection surfaces for unauthorized privileged role assignments. Whether those controls existed, fired, or were acted upon is not confirmed by available reporting. That gap is itself a finding.
The Handala group claimed to have wiped over 200,000 systems and exfiltrated 50 terabytes of data. Stryker’s investigation — conducted by Microsoft DART and Palo Alto Unit 42 — found no evidence of data exfiltration as of the update. The discrepancy between attacker claims and investigative findings is typical of hacktivist threat actors, who routinely inflate impact for psychological and reputational effect. Security teams should treat unverified attacker claims as influence operation artifacts, not confirmed facts, until forensics corroborate them. The device wipe count discrepancy (attacker: 200,000+ versus investigator estimate: ~80,000) follows this pattern.
The healthcare sector impact deserves specific attention. Stryker’s electronic ordering systems went offline, forcing manual order processing through sales representatives. While the company confirmed all medical devices remain safe — the attack was confined to the corporate Microsoft environment — the supply chain disruption for a medical technology company carries downstream patient care risk. Hospitals and healthcare systems dependent on Stryker consumables, implants, or surgical equipment face fulfillment delays during recovery. This operational consequence is a deliberate outcome of targeting an organization where supply continuity directly touches patient outcomes. Iran-linked actors have demonstrated sustained interest in disrupting the healthcare sector, and this incident fits that pattern.
For security operations teams, the detection and prevention priorities from this incident are clear. Cloud identity governance is the primary control failure surface: Global Administrator assignments must trigger immediate, automated alerting with required human review before activation. Intune bulk wipe commands — especially those targeting large device populations simultaneously — should require break-glass approval workflows or conditional access policies that introduce friction for mass destructive actions. BYOD enrollment policies are a secondary exposure: employees who enrolled personal devices in the company MDM environment lost personal data. Organizations should evaluate whether BYOD enrollment in Intune is necessary or whether alternative access models (app-level policies, BYOD-specific compliance profiles without full device management) reduce that blast radius. The incident is a strong argument for tiered MDM enrollment with least-privilege scoping on wipe authority.
- Audit all Global Administrator role assignments immediately — unauthorized GA account creation is a high-confidence indicator of this attack pattern and should trigger automated alerting with mandatory human review before the account becomes active.
- Implement approval workflows or conditional access friction for bulk Intune wipe commands — a single compromised GA account should not be able to wipe tens of thousands of devices in under three hours without human intervention.
- Review BYOD enrollment policies in your MDM platform — employees enrolled in full device management lost personal data; consider app-level policy enforcement as an alternative that limits organizational wipe authority over personal devices.
- Treat attacker-claimed impact figures as influence operation artifacts until forensic investigation corroborates them — Handala claimed 200,000 devices and 50TB exfiltrated; investigators confirmed roughly 80,000 devices wiped and found no evidence of exfiltration.
- Validate that Entra ID Privileged Identity Management (PIM) and audit log alerting covers new privileged role assignments in near-real-time — this attack had a detectable footprint in identity logs before the wipe campaign executed.
