On 11 March 2026, medical technology giant Stryker, a Fortune 500 company with over 56,000 employees across 61 countries, suffered one of the most operationally destructive cyberattacks in recent memory. Over 200,000 devices were wiped. Offices across 79 countries went dark. Staff were told to disconnect everything and not turn on company-issued devices.
What makes this incident worth examining closely isn't the scale of the disruption. It's the method. According to reporting from KrebsOnSecurity and corroborated by employee accounts, the attackers did not deploy traditional malware. They allegedly compromised a privileged administrator account and used Microsoft Intune, Stryker's own mobile device management (MDM) platform, to issue remote wipe commands across the entire device fleet. No novel exploit. No sophisticated payload. Just admin credentials and a legitimate enterprise tool turned against its owner.
This is the attack pattern security teams need to be planning for right now.
The Real Vulnerability: Admin Account Access
The Stryker incident illustrates a fundamental truth about modern enterprise security: whoever controls the admin plane controls everything beneath it. An attacker with valid credentials to an Intune Global Administrator or Intune Administrator account can, in a matter of minutes, issue wipe commands to every enrolled device in the organisation. No endpoint detection tool will flag it. No antivirus will catch it. It looks like a legitimate administrative action, because it is one, just executed by the wrong person.
The question for every IT and security leader in Australia is straightforward: what stands between an attacker and your MDM admin console?
If the answer is a username, a password, and an SMS code, or worse, just a username and password, the answer isn't good enough.
Phishing-Resistant MFA Is Not Optional for Privileged Accounts
Not all MFA is created equal. SMS one-time passwords and authenticator app push notifications can both be defeated through SIM swapping, real-time phishing proxies, and MFA fatigue attacks (also known as push bombing). These attack techniques are well-documented and actively used by the threat actors behind incidents like Stryker.
Phishing-resistant MFA, specifically FIDO2 hardware security keys such as the YubiKey, operates on a fundamentally different model. The cryptographic handshake is bound to the specific origin (domain) of the service being accessed. A fake login page simply cannot complete the authentication. There is no code to intercept, no push to approve, no one-time password to harvest.
There is a second property of hardware security keys that matters enormously for privileged account protection, and it's less often discussed: physical presence.
When an administrator authenticates with a YubiKey, they must physically touch the device. The key must be in their hand, plugged into their machine, at the moment of authentication. This single constraint makes remote account takeover categorically harder. An attacker who has obtained credentials through phishing or credential stuffing, operating from the other side of the world, cannot complete the authentication. They don't have the physical token. They can't fake the touch.
For administrative accounts with the power to wipe an entire device fleet, this physical presence requirement is not a nice-to-have. It's a fundamental control.
Step-Up Authentication for Privileged Actions
Beyond securing the initial login, organisations should implement step-up authentication for high-impact administrative actions, requiring a fresh, phishing-resistant authentication challenge at the point of performing a destructive or sensitive operation, regardless of existing session state.
In practice, this means that even if an attacker somehow gains access to an authenticated admin session, they still cannot execute a bulk device wipe, modify conditional access policies, or make global configuration changes without completing an additional hardware-key-bound challenge.
This pattern is directly implementable in the Microsoft stack:
- Microsoft Entra ID (Azure AD) Conditional Access: Create policies that require phishing-resistant MFA (authentication strength set to "FIDO2 security key") specifically for access to the Microsoft Intune admin centre, Entra ID admin roles, and other high-privilege portals. Scope these policies to your privileged admin accounts or Privileged Access Workgroups.
- Privileged Identity Management (PIM): Require phishing-resistant MFA as a condition for activating elevated roles such as Global Administrator, Intune Administrator, or Security Administrator. Roles are held in an inactive state and must be explicitly activated with hardware key authentication on demand. This dramatically limits the window of exposure.
- Authentication Strengths: Entra ID's Authentication Strengths feature allows you to define a named policy (e.g., "Privileged Admin MFA") that specifically requires FIDO2 security key authentication, excluding weaker methods. Apply this as the required strength in Conditional Access rules targeting admin portals.
- Other MDM platforms: Organisations using Jamf Pro, Workspace ONE, or other MDM solutions should apply equivalent controls at the identity provider level, enforcing hardware key authentication for any account with device management capabilities, and where possible, requiring re-authentication before bulk actions are executed.
Implementing YubiKey for Admin Account Protection
For organisations in Australia looking to implement hardware security key authentication for administrative accounts, the practical steps are straightforward:
- Identify your blast radius accounts. These are accounts whose compromise would cause maximum damage: Global Administrators, Intune Administrators, Security Administrators, Exchange Administrators, and any break-glass accounts. Start here.
- Register FIDO2 YubiKeys against each admin account in Entra ID. Require a minimum of two keys per administrator, one for daily use and one stored securely as a backup.
- Build Conditional Access policies that enforce Authentication Strength: FIDO2 for access to admin portals (Intune admin centre, Entra admin centre, Microsoft 365 admin centre, Azure portal). Block legacy authentication protocols entirely for these accounts.
- Enable PIM for all privileged roles and require phishing-resistant MFA on activation. Set appropriate activation time windows (e.g., 4-8 hours) to limit standing access.
- Audit regularly. Review active role assignments, look for accounts with permanent privileged access that should be converted to PIM-eligible, and confirm MFA method registrations across admin accounts.
This is not a complex implementation. It's achievable in days for most Microsoft 365 environments, and the reduction in risk is immediate and substantial.
The Broader Context
The Stryker attack is a reminder that geopolitical events now have direct operational consequences for enterprises globally, including here in Australia. Nation-state and state-aligned threat actors are not solely focused on government targets. They target organisations with perceived connections to adversary nations, supply chain relationships, or simply high disruption value.
The Essential Eight, Australia's baseline cybersecurity framework from the Australian Cyber Security Centre, includes MFA as a top-tier control. But Essential Eight Maturity Level 3 specifically requires phishing-resistant MFA for privileged users. The Stryker incident demonstrates exactly why that distinction exists.
Hardware security keys are available, affordable, and deployable now. The gap between having MFA and having phishing-resistant MFA for privileged accounts is the gap that state-linked threat actors are actively exploiting.
How Trust Panda Can Help
Trust Panda is Australia's specialist in identity security and phishing-resistant authentication. We supply and support YubiKey deployments across organisations of all sizes, from small businesses to enterprise environments, and can advise on Conditional Access architecture, PIM configuration, and step-up authentication design within the Microsoft stack and beyond.
If you'd like to review your privileged account protection posture, get in touch with our team.
