A recent cyberattack on medical technology giant Stryker, carried out by an Iran-linked hacker group, has highlighted just how quickly things can escalate when attackers turn your own security tools against you.
In this case, attackers didn’t just gain access to an organisation’s environment, they went a step further. They compromised Microsoft Intune and used it to remotely wipe devices across the business.
Not encrypt. Not disrupt. Completely wipe. It’s the kind of scenario that completely flips expectations.
Intune is there to protect and control your devices. In this case, it became the mechanism used against them.
What this actually tells us
It would be easy to read that and assume it’s a rare, sophisticated edge case, but the reality is a bit closer to home.
Attackers today aren’t always trying to smash their way in. They’re far more calculated. They look to:
- Escalate privileges quietly
- Move across systems without being noticed
- Take control of centralised platforms like device management and identity
And once they’ve got that level of access, tools like Intune give them exactly what they need – scale, reach, and control.
That’s what makes this type of incident so impactful.
“We’ve got Intune… so we’re covered, right?”
It’s a completely fair question. And to be clear, Microsoft Intune is a brilliant platform. It’s a key part of any modern workplace and security strategy. But having Intune in place isn’t the same as having it fully secured.
When we review environments, what we typically see is completely normal:
- Permissions that have gradually become broader than intended
- Policies layered over time without being revisited
- Older configurations still sitting in the background
- Gaps between Intune, Entra ID, and security tooling
None of this is unusual. It’s just what happens as organisations grow and evolve. But these are exactly the areas attackers take advantage of.
The real takeaway: security needs to keep moving
If this incident tells us anything, it’s this: security isn’t something you set once and forget about. Your environment changes constantly. Your users and devices evolve. And attackers are always adapting.
Without regular review, it’s easy for small gaps to turn into something much bigger. This isn’t about overreacting.
It’s about taking a step back and asking the right questions:
- Who actually has access to what?
- Are your device controls as tight as you think they are?
- Do your policies still reflect how your business operates today?
- And if someone did get in… how far could they go?
That clarity is where the real value sits.
Microsoft Intune security health check
Our Microsoft Intune Security Health Check is designed to give you exactly that.We take a detailed look at how your environment is configured in practice, not just what’s been deployed, but how it’s actually working day to day.
We’ll review:
- Access controls and admin roles
- Device compliance and configuration policies
- Conditional access and identity protections
- Alignment across Intune, Entra ID, and your wider security tooling
And importantly, we translate all of that into clear, practical recommendations you can act on straight away. No noise. No unnecessary complexity. Just a clear view of where you stand.
Book your Microsoft Intune security health check
Let’s make sure the tools you rely on are doing exactly what you expect them to do, especially when it matters most.
