Written by Willie Zhang and Keegan Paisley
On March 11th, medical technology manufacturer Stryker disclosed a cybersecurity incident affecting its internal IT systems. The attack caused a global disruption to the company's Microsoft environment. Stryker activated its incident response process and brought in outside cybersecurity specialists.
An SEC filing from Stryker states that the incident "has caused, and will continue to cause disruptions and limitations of access to certain [Stryker's] information systems and business applications." A threat group calling itself Handala claimed responsibility. Public reports describe the group as Iran-linked, though Stryker hasn't confirmed that. The attackers say they exfiltrated 50 TB of data and wiped 200,000 managed devices.
Here's what makes this one unusual: Stryker reported no indication of ransomware or malware. This wasn't a smash-and-grab for money. Early analysis indicates that attackers gained access to enterprise identity or device management infrastructure within Stryker's Microsoft ecosystem. The working theory is that someone gained administrative access to management tooling, most likely Microsoft Intune, and used it to execute destructive actions across managed endpoints.
For those less familiar, Intune is basically a centralized remote control for every corporate device in your org. Configuration, software deployment, and remote wipe; it all runs through Intune. Get admin access, and you can push commands to every managed machine at once. That appears to be exactly what happened here.
The fix for this isn't new or exotic. It's dual control.
Dual control means that two trusted people must sign off before a high-risk action goes through. Banks have done this forever. Two employees to open the vault. Two signers on a large wire transfer. The logic is simple: if one account gets compromised, the attacker still can't do anything destructive on their own. They'd need a second, independent approver — and that's a much harder problem.
Intune has this built in. Microsoft calls it Multi-Admin Approval (MAA), and it covers device actions such as wipe and delete, as well as the creation and management of access policies. Turn it on, and a single compromised admin can't nuke your fleet.
Had MAA been enabled during the Stryker incident, the attackers would have needed to compromise two privileged accounts and get the second one to approve the destructive commands. Not impossible, but a far cry from "one account, 200,000 wiped devices."
This isn't limited to Intune, either. Multi-Stage Approval workflows exist in Entra ID. Branch protections in GitHub. Pipeline approvals in Azure DevOps. Most of these also block self-approval, which closes the obvious loophole.
Setting these controls up properly takes work. Knowing where to put them takes more, you have to map out which admin actions could cause the most damage and prioritize from there. And then you need to make sure they actually hold up under pressure, not just that someone checked a box in a portal six months ago.
That's where we come in. ProCircular helps organizations identify where a compromised admin account could cause real damage and then close those gaps, whether that means deploying MAA, tightening approval workflows, or pressure-testing controls you already have in place. If you're reading this and wondering what your exposure looks like, link. Better to find out now than after the SEC filing.