HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Iran‑Linked Handala Group Wipes 200K Devices via Microsoft Intune, FBI & CISA Issue Urgent Advisory

A Handala‑affiliated threat actor broke into Stryker’s Microsoft Intune tenant and used privileged wipe capabilities to erase data on more than 200,000 devices. The FBI and CISA warned enterprises to harden Intune configurations, enforce MFA, and require dual‑approval for high‑impact actions.

LiveThreat™ Intelligence · 📅 March 19, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
therecord.media

Iran‑Linked Handala Group Wipes 200K Devices via Microsoft Intune, Prompting FBI & CISA Advisory

What Happened — An Iran‑affiliated hacking group known as Handala compromised a legitimate Microsoft Intune tenant used by Stryker, a large medical‑device firm, and issued remote‑wipe commands that erased data on more than 200,000 corporate devices. The attackers used no malware, instead abusing privileged Intune permissions to execute the wipes.

Why It Matters for TPRM

  • Cloud‑based endpoint‑management platforms can become a single point of failure if admin credentials are compromised.
  • Service‑disruption attacks on a third‑party SaaS can cascade to multiple business units, suppliers, and customers.
  • The incident highlights the need for strict least‑privilege, MFA, and dual‑approval controls on all privileged cloud services.

Who Is Affected — Healthcare technology manufacturers, hospitals, and any organization that relies on Microsoft Intune (or similar MDM solutions) to manage endpoints.

Recommended Actions — Review and tighten Intune role‑based access controls, enforce MFA for all admin accounts, implement a second‑approval workflow for high‑impact actions such as device wipes, and continuously monitor privileged activity.

Technical Notes — Attack vector: stolen or misused admin credentials within Microsoft Intune (cloud‑based MDM). No known CVEs were exploited; the breach stemmed from inadequate configuration and lack of multi‑factor authentication on privileged accounts. Data types: primarily operational device data; no evidence of patient or proprietary data exfiltration. Source: The Record

📰 Original Source
https://therecord.media/fbi-cisa-warn-of-microsoft-intune-risks-stryker

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →