In March 2026, medical technology giant Stryker was hit by a cyberattack reportedly linked to Iranian threat actors. The incident disrupted its Microsoft environment and impacted manufacturing operations, highlighting how attackers are increasingly targeting endpoint management systems like Microsoft Intune to gain broad operational control. The attack involved misuse of legitimate administrative access, enabling high-impact actions at scale.
In response, CISA urged organizations to harden endpoint management systems by enforcing least privilege through role-based access control (RBAC), requiring phishing-resistant multi-factor authentication (MFA), applying conditional access policies, and implementing multi-admin approval for sensitive actions. The incident highlights how centralized control planes continue to be attractive targets, reinforcing the need to limit access and reduce the blast radius of compromise.
Platforms like Intune provide centralized control over devices and configurations, but when compromised, they give attackers that same power to disrupt operations at scale. In this case, once administrative credentials were compromised, the attacker was able to issue legitimate commands through the management plane, demonstrating how identity becomes the primary control point.
CISA’s guidance highlights identity as the primary battleground. Their recommendations emphasize tighter access controls, reduced trust in administrative pathways, and protections such as least privilege, phishing-resistant MFA, and safeguards for high-impact actions. Without these controls, a single compromised account can lead to widespread disruption. Reducing this risk requires strong credential hygiene, including eliminating shared credentials, removing default passwords, and using secure password injection, combined with just-in-time access to eliminate standing privileges and reduce exposure.
Adopting Zero Trust principles is critical to containing threats when compromise occurs. By continuously verifying identity and tightly controlling access, organizations can limit impact and prevent escalation. Xage extends this approach with identity-centric controls across users, devices, and workloads. Administrative access can be brokered through just-in-time workflows, with policy-driven approvals for sensitive actions, reducing reliance on persistent privileges.
In scenarios like the Stryker attack, where an attacker gains access to administrative credentials and issues legitimate commands through the management plane, systems like Intune will execute those instructions as designed. This makes it critical to introduce additional safeguards around high-impact actions. Xage enables policy-driven approval workflows, including two-person integrity controls, where sensitive operations such as device wipes or large-scale configuration changes require authorization from a second administrator. This ensures that even if an account is compromised or an insider acts maliciously, a single identity cannot trigger widespread disruption.
Xage also supports phishing-resistant authentication through FIDO and enforces identity-based segmentation to prevent lateral movement. This ensures that even if credentials are compromised, attackers are constrained in what they can access and execute. Instead of relying solely on native controls within endpoint management systems, organizations can introduce an independent layer of identity enforcement that limits both access and impact.
The implications extend beyond a single company. Healthcare and manufacturing ecosystems are deeply interconnected, so disruptions can ripple across supply chains and critical services. As geopolitical tensions rise, critical infrastructure is increasingly caught in the crosshairs, and attacks targeting systems with broad operational leverage are becoming more common. This is already evident in sectors like oil and gas, where cyber and physical threats are converging and amplifying each other’s impact, creating cascading disruptions across operations.
While CISA’s guidance focuses on Intune, the lesson applies to any centralized control plane. These systems are essential to operations, but they also concentrate risk. Securing them requires an identity-first approach that enforces least privilege, continuously verifies access, and limits the impact of compromise.
The Stryker cyberattack is a clear signal that attackers are targeting systems that offer maximum leverage. Defenders must respond by strengthening identity controls and designing for resilience. By aligning with CISA’s guidance and adopting Zero Trust principles, organizations can better protect critical systems and maintain operations even in the face of attack.
