Concept

Mobile Device Management

MDM: software platform enabling enterprises to configure, monitor and wipe devices remotely; weaponised by Handala against Stryker via a single stolen admin credential.

Last refreshed: 17 April 2026

Key Question

Why can't antivirus software stop an attack that uses the IT team's own tools?

Timeline for Mobile Device Management

#117 Apr

Mentioned in: Handala wipes 200,000 devices at Stryker

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is MDM and why was it used to wipe Stryker's devices?: MDM (Mobile Device Management) platforms allow IT teams to remotely configure, manage and wipe company devices. Handala used a single stolen Microsoft Intune admin credential to issue mass-wipe commands to 200,000 Stryker devices in 79 countries without deploying any malware.Source: Stryker 8-K/A / Krebs on Security
How do you protect an MDM platform from being used as a weapon?: Key controls are: Conditional Access that requires step-up authentication for mass-destructive MDM actions, just-in-time access revocation (e.g. SGNL-style session binding), and break-glass account monitoring. Standard EDR cannot block a wipe command from a legitimate admin session.Source: Lowdown analysis / Obsidian Security

Background

Mobile Device Management (MDM) became the attack surface at the centre of the Handala wipe of up to 200,000 Stryker devices across 79 countries on 11 March 2026. A single compromised Microsoft Intune administrator credential gave the attackers the same authority as Stryker's legitimate MDM operators; no malware was deployed because no malware was needed. Endpoint Detection and Response (EDR) tools cannot block a wipe command issued from the legitimate MDM console because it presents as authorised IT activity.

MDM platforms, including Microsoft Intune, Jamf, VMware Workspace ONE and others, provide remote device configuration, compliance enforcement, application deployment and mass wipe capabilities. An MDM admin account has estate-wide authority over every enrolled device; in Microsoft Intune's default configuration, that authority is accessible from any IP and any device with valid credentials and MFA, without step-up authentication for mass-destructive actions.

The Stryker incident is the first mass-scale, no-malware demonstration of MDM-level abuse at enterprise scale. CrowdStrike's $740m acquisition of SGNL is the market's immediate architectural response: just-in-time access revocation that prevents a stolen credential from being used after a legitimate session ends. For CISOs, Stryker is the forcing function for an MDM posture review that goes beyond EDR deployment to Conditional Access, break-glass and session-binding controls specifically for MDM administrator roles.

How the World Sees Them

Microsoft

Intune's default posture permits mass-wipe authority for admin accounts without step-up authentication; the Stryker incident creates commercial pressure to review those defaults.

Cyber insurers

MDM admin segmentation and just-in-time privilege are now distinct underwriting questions following the Stryker incident.

Enterprise CISOs

Stryker is the reference case for MDM admin account risk; every organisation with Intune, Jamf or Workspace ONE needs to audit its MDM admin Conditional Access, break-glass and session-binding posture.