
Intune
Microsoft cloud UEM platform; abused via stolen admin credential in the Stryker attack.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for Intune
Mentioned in: Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesIvanti EPMM logs fourth KEV zero-day since 2023
Cybersecurity: Threats and DefencesWhat is Microsoft Intune used for?
How was Microsoft Intune used in the Stryker cyber attack?
How can organisations protect Intune admin accounts?
Background
Microsoft Intune is Microsoft's cloud-based Unified Endpoint Management (UEM) and Mobile Device Management (MDM) service, delivered as part of the Microsoft Endpoint Manager suite within Microsoft 365 (formerly Enterprise Mobility + Security, EMS). Intune enables IT administrators to enrol, configure, and manage Windows, iOS, Android, and macOS devices; deploy applications; enforce compliance policies; and remotely wipe or reset enrolled devices. Access is managed via Microsoft Entra ID (formerly Azure Active Directory), with multi-factor authentication and Conditional Access policies available to govern administrative access.
Intune's remote-wipe capability — the ability to issue a factory-reset command that executes on any enrolled device on next check-in — is a powerful legitimate tool for securing lost or stolen devices and for corporate offboarding. It is also the capability that makes a compromised Intune administrator account catastrophically dangerous: an attacker with valid admin credentials can trigger a mass wipe of all enrolled devices from any location, with no malware required.
In U#3, Intune is referenced in the context of the Handala wipe of up to 200,000 Stryker devices across 79 countries on 11 March 2026 cross-referenced in event 3126. A single stolen Intune administrator credential gave the attackers estate-wide wipe authority. The incident is the most cited example of credential-abuse-via-MDM at enterprise scale, driving demand for just-in-time access controls (such as CrowdStrike's SGNL acquisition) specifically scoped to MDM administrative roles.