CISA warned U.S. organizations to follow Microsoft guidance to strengthen the Intune endpoint management tool after a cyberattack exploited it to wipe medical technology giant Stryker’s systems.
Microsoft published guidance on hardening Intune administrative controls days after Stryker was breached in an incident claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group.
The hackers claim that they stole 50 terabytes of data before using the built-in wipe command in Microsoft’s Intune cloud-based endpoint management tool to wipe nearly 80,000 devices in the early morning of March 11.
As BleepingComputer was told by a source familiar with the incident, they carried out the attack using a new Global Administrator account created after compromising an administrator account.
Now, CISA urged all U.S. organizations to harden their Intune environments to make them more resilient against similar attacks that could target their own networks.
“CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment,” the U.S. cybersecurity agency said on Wednesday.
“To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert.”
CISA’s list of recommendations applies to Microsoft Intune and other endpoint management software, and it requires IT administrators to use a least-privilege approach for admin roles, assigning only the necessary permissions through Microsoft Intune’s role-based access control (RBAC).
Admins should also enforce MFA and privileged-access hygiene to block unauthorized access to privileged actions in Intune (via Microsoft Entra ID features such as Conditional Access, risk signals, and MFA) and require multi-admin approval for changes to sensitive actions, such as device wipes, application updates, and RBAC modifications.
“When combined, these practices help you shift from relying on ‘trusted administrators’ toward building a more protected administration by design: least-privilege to contain impact, Microsoft Entra-based controls to ensure users are trusted and are who they say they are, and multi-admin approval to govern the changes that matter most,” Microsoft says.
Handala (also known as Handala Hack Team, Hatef, Hamsa), the group that claimed responsibility for the Stryker cyberattack, emerged in December 2023 as a hacktivist operation targeting Israeli organizations with Windows and Linux data-wiping malware.
They have been linked to Iran’s Ministry of Intelligence and Security (MOIS) and are known for stealing and leaking sensitive data from compromised systems.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
