The U.S. government is warning companies to better secure their Microsoft Intune management environments following a cyberattack on medical technology company Stryker. The attack exploited endpoint management software.
The alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) underscores how attractive endpoint management systems have become to attackers. The alert follows a cyberattack on the U.S. medical technology company Stryker that compromised its Microsoft environment. According to CISA, the attackers exploited legitimate management tools, making the attack difficult to detect and significantly increasing its impact.
The attack also had direct consequences for Stryker’s business operations. Parts of the network went offline, disrupting logistics and causing delays in medical procedures. This makes it clear that attacks on IT management systems are no longer limited to digital damage but can also affect physical processes, especially in sectors such as healthcare.
From Microsoft’s perspective, the attack method used is particularly relevant. The attackers reportedly gained access to Stryker’s Intune environment and created new administrative accounts there. This effectively allowed them to take control of systems and access levels within the organization. This approach fits into a broader trend in which attackers focus not on software vulnerabilities, but on identity and access management as their primary attack vector.
Although CISA’s warning formally pertains to endpoint management systems broadly, Microsoft Intune is central given its role in the Stryker attack and its widespread use in enterprise environments. In many cases, access to such platforms directly translates to control over devices, users, and corporate data.
Microsoft Security Guidelines Central to CISA Advisory
In its advisory, CISA explicitly cites Microsoft’s guidelines for securing Intune environments. In doing so, Microsoft explicitly positions itself as both part of the infrastructure and part of the solution. The emphasis is on restricting permissions, enforcing strong authentication, and adding additional control mechanisms around sensitive actions. This approach aligns with Microsoft’s Zero Trust strategy, in which no user or action is trusted by default.
The role of Entra ID is becoming increasingly important in this context. Features such as Conditional Access and risk-based access control enable detection of anomalous behavior and dynamic access restriction. In theory, this can prevent a compromised account from gaining full control over an administrative environment. In practice, however, the effectiveness of these measures depends heavily on configuration and usage within organizations.
Also notable is the emphasis on additional approval mechanisms for critical actions within Intune. Requiring multiple administrators for significant changes, such as configuration modifications or device wipes, indicates a shift toward stricter internal control models. This is intended to prevent a single compromised account from causing large-scale damage.
According to reports by Bloomberg, the pro-Iranian group Handala claimed responsibility for the attack. Although such claims are not always independently confirmed, this fits within a broader trend in which geopolitical tensions are also translating into digital attacks on commercial organizations.