Intune
Microsoft cloud UEM platform; abused via stolen admin credential in the Stryker attack.
Last refreshed: 8 May 2026
Timeline for Intune
Ivanti EPMM logs fourth KEV zero-day since 2023
Cybersecurity: Threats and Defences- What is Microsoft Intune used for?
- Microsoft Intune is a cloud-based service for managing and securing employee devices — Windows, iOS, Android, macOS — including application deployment, compliance policy enforcement, and remote wipe. It is part of Microsoft 365 and integrates with Microsoft Entra ID for identity management.
- How was Microsoft Intune used in the Stryker cyber attack?
- Handala attackers obtained a single Stryker Microsoft Intune administrator credential and used it to issue mass-wipe commands to all enrolled devices, destroying up to 200,000 endpoints across 79 countries without deploying any malware.
- How can organisations protect Intune admin accounts?
- Organisations should enforce Conditional Access (device compliance, managed device requirement, IP restriction) for Intune admin roles, implement just-in-time access controls that revoke standing admin permissions after sessions end, and require phishing-resistant MFA for all administrative access.
Background
Microsoft Intune is Microsoft's cloud-based Unified Endpoint Management (UEM) and Mobile Device Management (MDM) service, delivered as part of the Microsoft Endpoint Manager suite within Microsoft 365 (formerly Enterprise Mobility + Security, EMS). Intune enables IT administrators to enrol, configure, and manage Windows, iOS, Android, and macOS devices; deploy applications; enforce compliance policies; and remotely wipe or reset enrolled devices. Access is managed via Microsoft Entra ID (formerly Azure Active Directory), with multi-factor authentication and Conditional Access policies available to govern administrative access.
Intune's remote-wipe capability — the ability to issue a factory-reset command that executes on any enrolled device on next check-in — is a powerful legitimate tool for securing lost or stolen devices and for corporate offboarding. It is also the capability that makes a compromised Intune administrator account catastrophically dangerous: an attacker with valid admin credentials can trigger a mass wipe of all enrolled devices from any location, with no malware required.
In U#3, Intune is referenced in the context of the Handala wipe of up to 200,000 Stryker devices across 79 countries on 11 March 2026 (ID:2542, cross-referenced in event 3126). A single stolen Intune administrator credential gave the attackers estate-wide wipe authority. The incident is the most cited example of credential-abuse-via-MDM at enterprise scale, driving demand for just-in-time access controls (such as CrowdStrike's SGNL acquisition) specifically scoped to MDM administrative roles.