An Iran-linked group used Stryker's own Intune console to wipe tens of thousands of devices across 79 countries. No malware. No exploit. One compromised credential.

Smallstep's resource offers insights, tutorials, and resources for developers and security professionals interested in authentication and authorization technologies, such as OAuth, OpenID Connect, and Zero Trust security. Readers can learn about secure authentication practices, identity management, and secure communication protocols. With articles, tutorials, and documentation, Smallstep provides  guidance and expertise for implementing robust and secure authentication solutions.

Smallstep

On March 11, 2026, an Iran-linked group used Stryker's own Microsoft Intune admin console to remotely wipe tens of thousands of devices across 79 countries using a single compromised credential — no malware, no exploit. The attack succeeded because Stryker's infrastructure could not distinguish a legitimate admin session from an attacker replaying valid credentials. Key failures included no MFA on the admin account, weak/unrotated passwords, no multi-admin approval in Intune, and no hardware-bound device verification. The post argues that hardware-bound device attestation (via TPM/Secure Enclave) is the missing layer beneath MFA and PAM — cryptographically proving a privileged session originates from a specific enrolled device, not just that someone holds valid credentials. Smallstep's ACME Device Attestation product is presented as a solution to this specific gap, deployable starting with admin console access.

Stryker Was Wiped Through Its Own Infrastructure

How Smallstep Eliminates This Attack Path

Why MFA and Conditional Access Did Not Stop This

Where This Exists in Your Environment Today

Why Customers Choose Smallstep for This Exact Problem