Summary
This blog examines the March 2026 cyber-attack on Stryker, where attackers misused Microsoft Intune administrative controls to wipe thousands of devices. It highlights the gap between Microsoft’s security capabilities and real-world protection caused by misconfiguration, weak identity governance, and lack of monitoring. The article outlines key recommendations from Microsoft and CISA, including MFA, least privilege, and 24,7 monitoring, and stresses the need for a layered, assumed breach approach. It concludes by showing how organisations can strengthen resilience through better controls, continuous monitoring, and external validation.
The Stryker Cyber-Attack
In March 2026, Stryker Corporation, a global medical technology firm, suffered a major cyber-attack claimed by the Iran-linked hacktivist group Handala. The attackers exploited weaknesses in Microsoft Intune, using legitimate administrative controls to wipe devices.
Around 80,000 corporate devices were wiped in a matter of hours, disrupting email, internal systems, and productivity tools. At Stryker’s Cork, Ireland facility, over 5,000 employees were sent home due to outages. Operational systems for order processing, manufacturing, and shipping were taken offline, forcing manual workarounds.
This was not a failure of Microsoft technology itself. Attackers misused legitimate admin capabilities because of gaps in configuration, identity governance, and high-risk action controls, exactly the areas that Microsoft and CISA emphasise.
The Gap Between Microsoft Security and Real-World Protection
Microsoft Security, M365 Security, and Intune Security are among the most advanced platforms available. But they are not secure by default.
The SharePoint vulnerability being actively exploited shows how quickly attackers move when a weakness is exposed. Stryker highlights endpoint and device management gaps. These incidents are not anomalies.
Environments are deployed fast. Controls are partially configured. Permissions expand over time. Monitoring is inconsistent. The result? A gap between what organisations think they have deployed and what actually protects them.
CommSec CTO Barry Rooney comments on the recent attack and the state of cybersecurity: “If you were securing your car, you would not rely on a single lock. You would layer protections: a steering lock, an immobiliser, an alarm, maybe even tracking. Each layer makes it harder for a thief. Cyber security works the same way.”
Yet many organisations rely on a single layer of protection in their Microsoft environment, assuming the platform is secure out of the box. Recent events show how risky that assumption is.
Why This Problem Is Growing
Microsoft 365 now spans identity, collaboration, email, endpoint management, and cloud apps. Add Copilot and AI workflows, and the attack surface grows further.
Internal IT teams are under pressure to support business operations, deliver projects, maintain security, and meet NIS2 or other regulatory requirements.
This raises critical questions:
- Who reviews privileged access regularly?
- Who ensures security policies are enforced?
- Who monitors alerts outside working hours?
- Who responds to incidents in real time?
Without clear answers, gaps persist.
What Microsoft and CISA Are Warning About
Guidance from Microsoft and CISA is consistent: fundamentals matter most.
Key Microsoft and CISA Security Recommendations
| Control Area | Recommendation | Why It Matters |
| Multi-Factor Authentication (MFA) | Enforce MFA across all users, especially admins. Eliminate exceptions. | Stops most credential-based attacks. |
| Least Privilege & PIM | Limit access and use just-in-time admin privileges with approval workflows. | Reduces risk and limits damage if an account is compromised. |
| Administrative Controls | Require dual approval for high-risk actions like device wipes or bulk changes. | Prevents large-scale incidents caused by misuse or compromise. |
| Endpoint Security (Intune) | Enforce compliance policies, apply security baselines, and monitor devices. | Secures endpoints, a common entry point for attackers. |
| Vulnerability & Patch Management | Continuously scan and rapidly patch critical systems. | Closes gaps before attackers can exploit them. |
| 24/7 Monitoring & Response | Implement continuous monitoring with SOC or MDR capabilities. | Ensures threats are detected and contained in real time. |
The Shift to an Assumed Breach Mindset
Prevention alone is no longer enough. Organisations must assume they are being targeted at all times.
Detection, visibility, and response speed are now critical. Alerts without action, logs without analysis, or delays in response only give attackers more time to escalate and move laterally.
Building Layered Security in Microsoft 365 and Intune
Returning to the car analogy: each layer adds friction for attackers.
- Start with identity: enforce MFA, protect privileged accounts.
- Apply least privilege: control and review access through PIM.
- Strengthen admin controls: dual approval for high-risk actions.
- Secure endpoints: Intune compliance, security baselines, and monitoring.
- Maintain backups: test and validate recovery processes.
- Patch vulnerabilities: prioritise internet-exposed systems and critical flaws.
- Monitor continuously: SOC or MDR to detect and respond in real time.
Layering controls reduces risk and strengthens resilience.
Why Third-Party Validation Matters
Even mature organisations struggle to sustain these controls internally. External validation identifies gaps, ensures alignment with best practices, and brings focus to neglected areas.
Real-time monitoring is critical. If an incident occurs at 3 a.m., attackers can act fast without a response. Security is no longer just about tools — it is about operational capability.
How CommSec Supports IT Leaders in this Area
CommSec helps organisations bridge the gap between Microsoft capabilities and real-world protection:
- Security assessments: Identify misconfigurations in Microsoft 365 and Intune.
- SOC and MDR services: 24/7 monitoring and rapid threat response, integrated with CrowdStrike and Sophos.
- Security awareness training: Reduce human risk through phishing and social engineering education.
- Vulnerability management: Scan, prioritise, and patch threats before exploitation.
Together, these services implement a layered, real-world security strategy aligned with Microsoft and CISA guidance.
Configuration, Control, and Continuous Action
The Stryker incident and SharePoint vulnerabilities highlight a clear truth: security tools alone are not enough.
Configuration, monitoring, and response define your protection. For organisations under NIS2 and similar frameworks, deploying security is only the first step. Demonstrating control, resilience, and operational readiness is what prevents disruption.
Attackers are already exploiting gaps. The question is not whether your organisation will be targeted, but how prepared you are when it happens.
Next Steps
If you lack full visibility into your Microsoft 365 or Intune environment, now is the time to act.
CommSec delivers detailed Microsoft Security Assessments, identifies gaps, and strengthens your defences. Combined with real-time SOC and MDR services, we ensure threats are detected and stopped before they cause damage.
Get in touch today to take a proactive approach to Microsoft Security and protect your organisation with confidence.