We want to start by saying something that sometimes gets lost in the way our industry talks about cybersecurity incidents: what happened to Stryker is genuinely difficult, and we have a lot of empathy for the teams over there who are working around the clock right now trying to get things back to normal.
These types of events are hard on IT staff, hard on leadership, hard on customers, and hard on the people who built and maintained those environments with the best intentions and the tools they had available.
No organization gets everything right.
No solution is perfect.
And when something goes wrong at this scale, the last thing the industry needs is people pointing fingers from the sidelines.
That said, incidents like this one are also some of the most valuable learning moments our industry gets. And we think we owe it to each other to sit with them, understand them honestly, and let them inform how we approach our own environments going forward.
So that’s what we want to do here.
Stryker cyberattack timeline
On March 11, 2026, Stryker, a Fortune 500 medical device manufacturer with about 56,000 employees operating across more than 60 countries, experienced a significant cyberattack that disrupted their global Microsoft environment. The company confirmed the attack impacted internal operations, including manufacturing and shipping, and that employees were advised to disconnect and power down company devices.
The attack was claimed by a pro-Iranian hacking group called Handala, who alleged they wiped a massive number of corporate devices and exfiltrated significant data. This may be one of the clearest recent examples of geopolitical conflict influencing a destructive cyberattack against a US company.
Was the Stryker attack ransomware or malware?
What makes this incident stand out is that it does not appear to have followed the pattern most people associate with ransomware or large-scale malware deployment.
Based on Stryker’s updates, the attackers appear to have gained privileged access to Stryker’s Microsoft environment, specifically tools like Intune and Entra ID, and used those legitimate management tools to push remote wipe commands to enrolled devices at scale.
Stryker has said there was no indication of ransomware, and while investigators later identified a malicious file used to run commands and conceal activity, the company also said that file was not capable of spreading inside or outside the environment.
This was not a typical ransomware event, and it was not a conventional self-propagating malware outbreak.
The more unsettling reality is that a trusted administrative platform appears to have been turned into the delivery mechanism. Even with a malicious file involved, the defining feature of this attack was the abuse of legitimate management control at enterprise scale.
This changes the conversation. It pushes the focus beyond blocking suspicious files and toward protecting the administrative layers that can control identity, policy, endpoints, and remote actions across the environment.
Why the Stryker cyberattack matters beyond Stryker
Here’s something we’ve learned after years working with organizations of all shapes and sizes on their Microsoft environments: nobody has it all figured out. Not the big enterprises with large IT teams, not the mid-market companies with dedicated security staff, and, honestly, not us as MSPs either.
We’re all learning, adapting, and trying to stay ahead of threats that are themselves constantly evolving.
The Microsoft ecosystem is extraordinarily powerful. It’s also extraordinarily broad.
Entra ID, Intune, Exchange, SharePoint, Teams, and Azure are deeply interconnected systems that together form the operational backbone of most modern organizations. And that depth and interconnection, which is genuinely what makes M365 so valuable, is also what makes the security posture of that environment so critically important to get right.
In our work as an MSP, we get a unique vantage point. We see across a lot of different environments: different industries, different sizes, different maturity levels, and what I can tell you is that the gap between “we’re deployed on M365” and “our M365 environment is well-secured” is almost universal.
It’s not because organizations don’t care. It’s because these platforms evolve faster than any single team can keep up with, because security priorities compete with operational ones, and because there is genuinely no one-size-fits-all answer.
The organizations that weather these moments best aren’t the ones who got everything right. They’re the ones who kept asking the right questions — with partners they trusted.
What the Stryker incident is teaching IT and security leaders
Every major security event carries lessons. Some are technical. Some are organizational. And some are just reminders of things we already knew but hadn’t gotten around to acting on yet. Here’s what this one is surfacing:
- Your device management and identity platform is now a high-value target. When privileged access to Intune and Entra ID is compromised, the damage isn’t limited to a single machine or user. It scales instantly. Protecting those layers deserves the same rigor we’ve historically applied to network perimeters.
- Geopolitical events are now part of your threat landscape. For years, the dominant cyber threat was financially motivated by ransomware groups that wanted to negotiate a payment. Nation-state-aligned actors operate differently. The goal isn’t to get paid. It’s disruption. Organizations don’t need to become geopolitical analysts, but security and IT leadership should be paying attention to the broader context when making decisions about posture and response readiness.
- Traditional detection tools have blind spots. One of the harder truths here is that an attack using legitimate management commands may not trigger traditional security alerts. This pushes the conversation toward behavioral monitoring, anomaly detection, and privileged access management. Many organizations may have these controls on the roadmap, but haven’t fully implemented them.
- No organization is exempt. This is a Fortune 500 company with substantial resources and a global IT team. If something like this can happen to them, it can and will happen anywhere. We’re all in this together.
What to review in your own Microsoft environment after the Stryker attack
We want to be careful here not to turn this into a checklist that implies any organization that gets hit “should have known better.” That’s not the spirit of this. But there’s value in using moments like this as a prompt to have some honest internal conversations. Here are the areas we would encourage any IT or security leader to revisit:
- Privileged access in your Microsoft tenant. When did you last audit who holds Global Admin, Intune Administrator, or other elevated roles? Are any of those persistent rather than just-in-time? Are external or guest accounts in that list? These are conversations worth having regularly, not just after incidents.
- Conditional Access policies. Conditional Access is one of the most powerful controls in the M365 security stack and also one of the most commonly under-configured. Multi-factor Authentication enforcement on admin roles, device compliance requirements, and legacy auth blocking are foundational. If those aren’t in place, they’re a good starting point.
- Your incident response plan. Specifically, does it account for a destructive or wiper scenario? Most IR plans are written around ransomware. A scenario where endpoints are wiped rather than encrypted has a very different recovery path. It’s worth thinking through what that looks like for your organization before it’s urgent.
- Endpoint backup and recovery. Server backup coverage is typically solid. Endpoint coverage for laptops, workstations, and mobile devices is often thinner. If devices store anything locally, even temporarily, that’s a gap worth addressing.
- Who has access to your Microsoft environment from outside your organization? MSPs, integration partners, software vendors — any of these may have elevated access to your tenant. That access should be documented, scoped appropriately, and reviewed periodically.
Why incidents like the Stryker attack are learning moments for the industry
One of the things we find most meaningful about this work is the community aspect of it. The cybersecurity and IT industry, at its best, is one where practitioners share what they’ve seen, organizations are transparent about what happened and what they’re doing about it, and we collectively raise the baseline for everyone.
Stryker has been relatively transparent through this. They’ve communicated with customers, been clear about what they know and what they’re still investigating, and engaged with CISA and third-party forensic experts. That kind of transparency takes courage during a difficult moment, so we want to encourage us all to commend them. The more openly these events are discussed, the more the rest of us can learn from them.
From where we sit, the organizations that handle these challenges best, whether they’re experiencing an incident or trying to prevent one, aren’t necessarily the ones with the biggest budgets or the most sophisticated tools. They’re the ones who have built strong, honest relationships with partners they trust. Who have created cultures where security isn’t just the IT team’s problem, but a shared organizational value. And who treat every industry event, including ones that happen to someone else, as a reason to ask: what does this mean for us?
Security is a continuous, evolving practice. And no one should have to navigate it alone.
How Apex Digital approaches Microsoft security and risk management
As an MSP that specializes in Microsoft 365 and Azure, we live in these environments every day. We see the full spectrum, from organizations that have invested deeply in security architecture to ones that are just starting to think about what their posture actually looks like. And we genuinely believe that the best outcomes come from partnership, not from telling clients what they’re doing wrong.
Our approach is to start with understanding: where you are, what’s actually in place, what the real risks are for your specific environment. We then work together to build a path forward that’s realistic, prioritized, and grounded in your actual situation.
If the Stryker incident has prompted any questions about your own Microsoft environment, about identity security, endpoint management, incident response readiness, or just where to start, we’re happy to be a sounding board.
Because at the end of the day, that’s how this industry gets better: one honest conversation at a time.
Not sure where to start? A funded Microsoft Security Workshop can be a practical first step for eligible organizations that want clearer direction on risks, findings they can share internally, and a prioritized roadmap for what to do next. Funded workshops are designed to be low-lift, include a findings summary and prioritized recommendations, and are available across four primary tracks: Cloud Security, Data Security, Threat Protection, and Modern SecOps.
