CISA just told every organization using Intune to tighten up. Here's why that matters for your business.
Two weeks ago, an Iran-linked group called Handala got into a single admin account at Stryker. If you're not familiar, Stryker is one of the biggest medical technology companies on the planet.
Here's the part that should get your attention: they didn't use malware. They didn't find some exotic software vulnerability. They took that compromised admin account, created a new Global Administrator account, and used Intune's own built-in wipe command to start erasing devices across the network. The tool that's supposed to manage and protect endpoints became the weapon.
CISA put out an advisory on March 18th telling organizations to harden their endpoint management systems. Not just Intune. Any platform that gives admins broad control over your devices.
What gets me about this one is how simple it was. The attackers needed credentials and unchecked admin privileges. That's the whole story. The access controls most businesses assume are "good enough" were the entire attack surface.
So what is CISA actually telling us to do?
Start with least privilege access. Your admins should only have the permissions they need for their actual day-to-day work. If someone on your team can wipe every device in your environment and that's not their job, that permission shouldn't be sitting on their account. Full stop.
Put phishing-resistant MFA on every privileged account. And I want to be specific here because "MFA" gets thrown around a lot. Standard MFA is not the same as phishing-resistant MFA. When attackers are sophisticated enough to intercept traditional MFA tokens, that distinction really matters.
Set up multi-admin approval for high-impact actions. Device wipes, application deployments, security baseline changes. None of that should be a one-person decision. Think of it like requiring two keys to launch something big. Because wiping your entire fleet IS something big.
What I'd take away from this:
Your endpoint management platform isn't just an IT tool. It's a control plane for your entire business. Someone takes that over, they don't need malware. They already have everything they need to cause real damage. That's the shift happening right now, and a lot of organizations still have a blind spot here.
Over the next 30 days, audit who has admin access to your endpoint management system. Pull up every account with elevated privileges and ask whether each one actually needs that level of access. I can almost guarantee you'll find accounts with permissions that were granted years ago and never revisited. Everyone does.
And something you can do today: turn on multi-admin approval for device wipe commands. If you're running Intune, this is a setting you can enable right now. It's the single fastest thing you can do to prevent the exact scenario that hit Stryker.
Microsoft put out an updated Intune hardening guide that's worth bookmarking if you want to work through this yourself. If you want someone to walk through it with you, we're happy to do that. And if you'd rather just hand the whole thing off, that's what we do.