CISA warns over Microsoft Intune risks

Stryker reported the intrusion on March 11, 2026, and federal cybersecurity authorities publicly flagged related malicious activity on March 19, 2026. (reuters.com) (content.govdelivery.com) A group calling itself Handala claimed responsibility and publicly asserted it wiped large numbers of devices and exfiltrated data, with some claims alleging up to 200,000 devices and roughly 50 terabytes taken. (blackveilsecurity.com) (cybernews.com) Stryker said the incident caused a global disruption to its Microsoft-based environment that affected order processing, manufacturing and shipping, and outside reporting noted that some surgeries were delayed while the company worked to restore systems. (reuters.com) (cybernews.com) CISA’s advisory specifically referenced malicious activity targeting endpoint-management systems and instructed organizations to review Intune configurations and implement Microsoft’s published security controls while CISA coordinates with FBI partners. (content.govdelivery.com) (iex.nl) Microsoft published prescriptive hardening guidance in mid‑March 2026 recommending scoped role‑based access control (RBAC), phishing‑resistant multi‑factor authentication, Conditional Access for privileged operations, Multi‑Admin Approval for high‑impact actions (including remote device actions), and use of scope tags to limit admin visibility. (techcommunity.microsoft.com) (learn.microsoft.com) Security researchers and reporting from multiple analysts say the likely vector involved compromised administrative credentials or token theft—potentially via info‑stealer malware or MFA‑bypass techniques—that gave attackers the ability to issue remote wipe commands through Intune’s administrative plane. (securityweek.com) (cybersecuritydive.com)