Medical Device Giant Hit with Mass Device Wipe Attack
Stryker, one of the world's largest medical technology companies, suffered a significant cyberattack last week that remotely wiped tens of thousands of employee devices across its internal Microsoft environment. The incident, first reported by BleepingComputer on March 16, 2026, stands out not just for its scale, but for how it was executed: no malware was deployed.
The attackers gained access to Stryker's Microsoft tenant and leveraged the company's own device management infrastructure — specifically Microsoft Intune or equivalent mobile device management (MDM) tooling — to issue remote wipe commands to employee endpoints. The result was the erasure of data on tens of thousands of laptops, workstations, and mobile devices across the organization.
What Happened
According to BleepingComputer's reporting, the attack was confined to Stryker's internal Microsoft environment. Attackers who obtained sufficient access to the Microsoft tenant were able to:
- Issue remote wipe commands through Microsoft's native MDM capabilities
- Target enrolled employee devices at scale
- Erase device contents without needing to deploy any malicious code to individual endpoints
This represents a fundamentally different attack model from traditional ransomware or wiper malware campaigns. Rather than deploying tools like BlackByte, Cl0p, or destructive wipers such as HermeticWiper, the attackers turned Stryker's own device management systems into a weapon.
Why This Attack Is Significant
Living-Off-the-Land at Enterprise Scale
The attack is a large-scale demonstration of the Living-off-the-Land (LotL) technique applied to cloud management infrastructure. Traditional endpoint detection tools look for malware signatures, process anomalies, and suspicious executables. When an attacker uses legitimately signed Microsoft management tools to wipe devices — tools that are designed to perform exactly that function — most endpoint security products have no signal to trigger on.
| Traditional Wiper Attack | Stryker-Style Attack |
|---|---|
| Malware deployed to endpoints | No malware on endpoints |
| Detectable by AV/EDR | Invisible to endpoint security |
| Requires lateral movement per host | Single MDM command targets thousands |
| Signatures available post-analysis | No malware to analyze |
| Blocked by application allowlisting | Blocked only by tenant access controls |
The Blast Radius of Compromised Microsoft Tenants
Enterprise Microsoft tenants — Azure AD / Entra ID combined with Intune — are capable of managing the entire device fleet of a global organization. A single privileged account or service principal with sufficient rights can issue commands that affect every enrolled device simultaneously.
This incident underscores that the security perimeter for modern enterprises is no longer the network edge — it is the identity plane. Protecting Microsoft tenant admin accounts with the same rigor as on-premises domain controllers is now a baseline requirement, not a best practice.
Scope and Impact
| Metric | Detail |
|---|---|
| Devices affected | Tens of thousands of employee endpoints |
| Attack vector | Microsoft tenant access → MDM remote wipe |
| Malware involved | None |
| Systems targeted | Internal Microsoft environment |
| Operational impact | Mass device erasure; recovery operations underway |
| Company size | Stryker: ~51,000 employees globally (2025) |
Stryker, headquartered in Kalamazoo, Michigan, reported approximately $22.6 billion in revenue in 2024 and operates in over 75 countries. The company manufactures surgical equipment, orthopedic implants, neurotechnology, and emergency medical products. Any disruption to its internal operations has direct downstream implications for hospital supply chains and medical device distribution.
Attack Vector Analysis
How Attackers Gain MDM Wipe Capability
To issue remote wipe commands through Microsoft Intune or similar MDM tools, an attacker needs one of the following:
- Global Administrator privileges in the Microsoft 365 / Entra ID tenant
- Intune Administrator role
- Device Administrator role with sufficient scope
- A compromised service principal or managed identity with device management permissions
The most common pathways to reaching these privilege levels include:
- Phishing / MFA bypass — AiTM (Adversary-in-the-Middle) proxy attacks that capture session cookies after MFA completion, bypassing token verification
- Token theft — Stealing access tokens from compromised workstations or cloud environments without needing credentials at all
- Privileged account compromise — Targeting IT administrators directly with spearphishing or credential stuffing
- Third-party app abuse — Overprivileged OAuth applications granted device management scopes that can be exploited if the app is compromised
Incident Response Implications
A mass device wipe event of this scale creates several immediate incident response challenges:
Recovery Complexity
- Tens of thousands of devices require reimaging, re-enrollment in MDM, and data restoration from backup
- Employees lose access to local data and applications simultaneously
- Coordinating recovery across potentially 50,000+ devices is a multi-week effort even with mature IT infrastructure
Forensics Limitations
- Remote wipes destroy local forensic evidence on affected endpoints
- Incident responders must rely on cloud-side telemetry — Azure AD sign-in logs, Intune audit logs, Microsoft 365 audit logs — to reconstruct the attack timeline
- If the attacker cleared audit logs as part of the attack, reconstruction becomes significantly harder
Business Continuity
Medical technology companies operate with strict regulatory requirements around device availability and data integrity. Stryker's corporate operations — sales, procurement, logistics, R&D coordination — depend on the same Microsoft environment that was targeted. The operational disruption extends beyond lost device data to interrupted business processes.
Defensive Recommendations
For Organizations Using Microsoft Intune or Similar MDM
- Enforce Privileged Identity Management (PIM) — Intune and Global Admin roles should require just-in-time activation with approval workflows, not standing access
- Restrict wipe permissions to break-glass accounts — Not every IT admin needs remote wipe capability; scope device management roles to the minimum required permissions
- Implement Conditional Access policies — Block tenant admin sign-ins from unmanaged devices, unfamiliar locations, and non-compliant networks
- Deploy phishing-resistant MFA — Hardware security keys (FIDO2) or certificate-based authentication for all privileged accounts; TOTP-based MFA is vulnerable to AiTM attacks
- Monitor MDM audit logs for anomalous commands — A single account issuing wipe commands to hundreds of devices in minutes should trigger an immediate alert
- Enable Microsoft Sentinel or equivalent SIEM — Correlate Entra ID sign-in anomalies with Intune activity to detect compromised privileged sessions before wipe commands execute
- Backup critical endpoint data offsite — Remote wipe events are also recovery events; cloud-synced data (OneDrive, SharePoint) survives device wipes; local-only data does not
Identity Hardening Priorities
| Control | Purpose |
|---|---|
| Phishing-resistant MFA (FIDO2) | Blocks AiTM token theft |
| Privileged Identity Management (PIM) | Eliminates standing admin access |
| Conditional Access with device compliance | Blocks access from unmanaged endpoints |
| Entra ID Protection | Detects risky sign-ins automatically |
| Audit log retention (12+ months) | Enables post-incident forensics |
| Break-glass account monitoring | Alerts on emergency admin account use |
The Broader Trend
The Stryker incident is not isolated. A growing category of cyberattacks exploits legitimate cloud management infrastructure rather than deploying traditional malware:
- MDM abuse for device wipes and configuration manipulation
- Azure AD / Entra ID tenant takeovers for persistent access and privilege escalation
- Microsoft 365 account hijacking for business email compromise at scale
- Azure Resource Manager API abuse for cloud infrastructure deletion
These attacks share a common characteristic: they are largely invisible to endpoint security tools because they use legitimate, signed, intentionally-functional Microsoft APIs. Defense requires a shift from endpoint-centric detection toward identity-plane monitoring and cloud control-plane visibility.
Key Takeaways
- No malware required — Stryker's devices were wiped using Stryker's own Microsoft MDM infrastructure, bypassing all endpoint security controls
- Privileged identity compromise is the new perimeter breach — Gaining Global Admin or Intune Admin access is functionally equivalent to owning the entire device fleet
- Tens of thousands of devices wiped simultaneously — The scale is only possible through cloud management tooling; traditional lateral movement could never achieve this blast radius this quickly
- Recovery is a multi-week operation — Even with good backups and MDM re-enrollment processes, reimaging tens of thousands of endpoints takes significant time and resources
- Identity-plane monitoring is non-negotiable — Organizations without real-time alerting on anomalous Intune commands and admin sign-in anomalies will not detect this category of attack before it executes