Hackers Wiped 200K Devices via Intune — Protect Your Environment Now
Iran-linked Handala used Microsoft Intune to wipe 200,000+ devices at Stryker. Here is how to protect your organization.
Microsoft Intune — the tool that is supposed to protect your devices — was used to wipe over 200,000 of them. On March 11, the Iran-linked group Handala attacked medical technology giant Stryker and executed a remote wipe via Intune across 79 countries.
Handala, attributed to Iran's MOIS intelligence service, gained access through a compromised admin account. From there, it was a single command to mass destruction. CISA responded on March 19 with specific guidance on securing Intune environments.
What happened technically
The attackers exploited a gap in Privileged Identity Management (PIM) — the Authentication Context gap. Without properly configured PIM, the admin account could issue bulk wipe commands without additional verification. No approval workflows stopped them.
ThreatHunter.ai has released Detection Pack v2 with five concrete defensive measures:
- KQL queries for Microsoft Sentinel detecting MuddyWater pre-positioning
- PIM Authentication Context gap detection
- Three-layer bulk wipe prevention
- Stale session alerting
- Rclone exfiltration detection
What to do now
- Review PIM configuration for all Intune admin roles. Require Authentication Context for sensitive operations.
- Enable approval workflows for bulk actions (wipe/retire). One admin should not be able to wipe thousands of devices without approval.
- Clean up stale admin sessions. Set session lifetime and require re-authentication.
- Deploy the KQL queries from Detection Pack v2 in your Sentinel or Defender XDR environment.
With Stryker as a reference point, convincing leadership that Intune security matters is not the hard part. The question is: have you done it yet?
At HaggeBurger, we offer an Intune Security Assessment covering PIM, bulk actions, session management, and detection rules. Contact us for a review.