CISA flags Intune risk

Stryker disclosed the incident on March 11, 2026 and said the event was contained to its internal Microsoft environment while teams worked to restore electronic ordering and customer-facing systems. (stryker.com) The Cybersecurity and Infrastructure Security Agency published an advisory on March 18, 2026 and said it was coordinating with the Federal Bureau of Investigation to identify additional threats and recommend mitigations. (cisa.gov) Microsoft posted a "Best practices for securing Microsoft Intune" guidance on March 14, 2026 that explicitly recommends least-privilege RBAC, phishing-resistant authentication, and enabling Multi Admin Approval for sensitive Intune actions. (techcommunity.microsoft.com) Independent incident analyses and some media reports put the scale differently: Critical Start and Forbes cited more than 200,000 wiped devices in reporting that aggregates vendor and forensic timelines. (criticalstart.com; forbes.com) Other contemporaneous reports described lower counts, with one customer-facing summary reporting nearly 80,000 employee devices erased and TechCrunch using the phrase "tens of thousands" to describe the scope. (isec.news; techcrunch.com) Multiple outlets and security firms attribute the operation to an Iran-linked actor known as Handala, which publicly claimed responsibility on March 11 via Telegram posts. (reuters.com) Forensic writeups say the adversary appears to have obtained privileged Microsoft Entra (Azure AD) administrative credentials and used native Intune management commands to execute widescale wipes without deploying endpoint ransomware or traditional malware. (criticalstart.com; techcommunity.microsoft.com)