Living Off the Land: The M365 Attack Vector You're Not Protecting Against

THREAT INTELLIGENCE | MARCH 11, 2026

An Iran-backed threat actor didn't need to deploy malware. They used Microsoft Intune — the same cloud management tool your IT team relies on every day.

This morning, a medical technology giant with 56,000 employees across 61 countries sent thousands of workers home. Stryker, one of the world's largest makers of surgical equipment and implants, became the latest victim of a devastating cyberattack — one with a twist that every organization running Microsoft 365 needs to understand immediately.

The attackers didn't need zero-day exploits or sophisticated malware. They walked in through the front door — using Microsoft's own Intune platform to remotely wipe more than 200,000 devices, servers, and mobile phones in a single command.

What Happened

Reporting from KrebsOnSecurity broke the story this morning. An Iran-backed hacktivist group known as Handala — linked by Palo Alto Networks to Iran's Ministry of Intelligence and Security (MOIS) — claimed responsibility for the attack in a Telegram manifesto. The group stated it had forced Stryker's offices in 79 countries to shut down.

According to a source familiar with the attack, the destruction was carried out not through traditional ransomware or a custom wiper payload — but through Microsoft Intune, the legitimate cloud-based device management platform built into every Microsoft 365 environment. The attackers gained administrative access to Intune and issued remote wipe commands at scale.

Reports from Ireland, where Stryker operates its largest hub outside the U.S., described employees being told to uninstall Intune from their personal devices immediately. Anything connected to the network — including personal phones with work email configured — was wiped.

Why This Attack Is Different

Most organizations have invested heavily in endpoint detection and response (EDR), email filtering, and firewall rules designed to stop malicious code from executing. Those controls did nothing here.

This is what the security community calls a "living off the land" attack — where adversaries use trusted, legitimate tools already present in the environment to carry out their objective. When an attacker gains control of your M365 Global Admin or Intune Admin account, they don't need malware. They have the keys to every device your organization manages.

The implications are stark: your entire device fleet — laptops, phones, tablets, servers — can be erased by someone with the right credentials and a web browser.

Who Is at Risk

If your organization uses Microsoft 365 with Intune for device management — and the vast majority of businesses do — you are operating with a capability that, if compromised, could be turned against you in the same way it was used against Stryker.

Organizations that should treat this as a wake-up call include:

• Local governments and municipalities managing employee devices through M365
• Financial services firms regulated by the SEC, FINRA, or state authorities with strict data integrity requirements
• Critical infrastructure operators — utilities, water, energy — using cloud-based device management
• Healthcare organizations of any size with Intune-managed endpoints
• Any company that has enrolled personal (BYOD) devices into Intune

What You Should Do Right Now

The following steps should be taken today, not added to a future project backlog.

1. Audit Your Admin Accounts

Pull a report of every account assigned a Global Admin or Intune Admin role in your Microsoft Entra ID (formerly Azure Active Directory) tenant. Remove any account that does not absolutely require that level of access. The principle of least privilege is not optional — it is your first line of defense.

2. Enforce Phishing-Resistant Multi-Factor Authentication (MFA) on All Admin Accounts

Basic MFA — the kind that sends a text message or push notification — is no longer sufficient for administrative accounts. Phishing-resistant MFA using hardware security keys (FIDO2) or Microsoft's passkey support is the standard you should be targeting. A compromised password alone should never be enough to access your Intune console.

3. Implement Conditional Access Policies

Microsoft Entra ID's Conditional Access allows you to require that admin logins come only from compliant, managed devices — never from an unknown browser or foreign IP address. If your admin accounts can be authenticated from anywhere in the world with just a username, password, and a push notification approval, you are exposed.

4. Configure Privileged Identity Management (PIM)

Microsoft Entra ID Privileged Identity Management allows admin roles to be "just in time" — meaning elevated permissions are granted only when needed, for a defined window of time, and with an approval step. An admin account sitting at Global Admin 24/7 is a permanently loaded weapon. PIM takes it off hair-trigger.

5. Restrict Who Can Issue Remote Wipe Commands

Within Intune, review and restrict the roles that have permission to issue full device wipes. Consider requiring a secondary approval workflow for any bulk device action. The ability to erase 200,000 devices should require more than a single authenticated session.

6. Review Your Audit Logs Now

Pull your M365 unified audit logs and look for anomalous activity in the past 30 to 90 days: new role assignments, sign-ins from unusual locations or anonymous IP addresses, and any remote wipe or device retire commands. If you don't have a security team reviewing these logs regularly, that gap needs to close.

7. Test Your Recovery Posture

If every managed device in your organization were wiped tomorrow morning, how long would recovery take? Do you have offline backups of critical data? Do you have documented device rebuild procedures? Stryker sent thousands of employees home today. Your business continuity plan should have an answer for this scenario.

The Bigger Picture: Nation-State Actors Are Targeting Everyone

Handala is not a random criminal group hunting for easy ransomware paydays. Palo Alto Networks has linked the group to Iran's Ministry of Intelligence and Security, and has documented a pattern of attacks focused on supply chain footholds — compromising IT providers to reach downstream customers. The group's recent activity has included attacks on fuel systems in Jordan and an Israeli energy company.

The current geopolitical environment — including escalating tensions in the Middle East and active military operations — means that nation-state affiliated cyber actors are highly motivated and operating at pace. Organizations in critical infrastructure, financial services, and government are high-value targets regardless of whether they have any direct connection to the conflict.

The attack on Stryker should be read as a signal, not an isolated event.