Skip to content
.ca
sign in
Work being done in the backend.
4 minhigh

CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization

CISA has issued an alert regarding malicious cyber activity targeting endpoint management systems, specifically highlighting a recent attack on Stryker Corporation's Microsoft environment. The alert strongly urges organizations to harden Microsoft Intune and similar platforms by enforcing least privilege, phishing-resistant MFA, and Multi Admin Approval to prevent unauthorized high-impact administrative actions.

Sens:ImmediateConf:highAnalyzed:2026-03-19reports

Authors: CISA

StrykerMicrosoft IntuneRBACEndpoint ManagementMFA

Source:CISA

Key Takeaways

  • Threat actors are actively targeting and misusing endpoint management systems like Microsoft Intune.
  • A recent cyberattack on Stryker Corporation on March 11, 2026, highlights the severe risk to Microsoft environments.
  • Organizations must enforce phishing-resistant MFA and strict privileged access hygiene for endpoint management administrators.
  • Implementing Multi Admin Approval in Intune is critical to prevent unauthorized high-impact actions such as device wiping or malicious script deployment.

Affected Systems

  • Microsoft Intune
  • Endpoint Management Systems
  • Microsoft Entra ID

Attack Chain

Threat actors compromise administrative credentials or sessions to gain unauthorized access to endpoint management systems like Microsoft Intune. Once access is achieved, the attackers misuse legitimate management features to conduct malicious activities. This can include deploying malicious scripts or applications, altering configurations, or executing high-impact actions such as widespread device wiping across the managed environment.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the alert; the focus is entirely on configuration hardening and preventative controls.

Detection Engineering Assessment

EDR Visibility: Low — EDR primarily monitors endpoint behavior; misuse of cloud-based endpoint management portals (like Intune) occurs at the control plane level, requiring cloud and identity logs for detection. Network Visibility: Low — Traffic to Intune is encrypted HTTPS and appears as legitimate administrative traffic, making network-level detection ineffective without SSL decryption and deep API inspection. Detection Difficulty: Hard — Differentiating between legitimate administrative actions and an attacker misusing compromised admin credentials requires behavioral baselining, strict anomaly detection, and correlation of identity signals.

Required Log Sources

  • Microsoft Entra ID Sign-in Logs
  • Microsoft Entra ID Audit Logs
  • Microsoft Intune Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
An attacker using compromised credentials may attempt to initiate mass device wiping commands via Intune.Microsoft Intune Audit LogsImpactLow
Unauthorized changes to Intune RBAC roles or Conditional Access policies may indicate an attacker attempting to establish persistence or bypass MFA.Microsoft Entra ID Audit Logs, Microsoft Intune Audit LogsPersistenceMedium
A sudden spike in new script or application deployments originating from an unusual IP address or outside normal business hours indicates potential control plane compromise.Microsoft Intune Audit Logs, Microsoft Entra ID Sign-in LogsExecutionMedium

Control Gaps

  • Lack of Multi Admin Approval for sensitive actions
  • Absence of phishing-resistant MFA for administrators
  • Over-privileged administrative accounts

Key Behavioral Indicators

  • Unusual administrative logins (impossible travel, unfamiliar IPs)
  • Modifications to Conditional Access policies
  • Mass device wipe commands
  • Creation or modification of Intune RBAC roles

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Enforce phishing-resistant MFA for all endpoint management administrators.
  • Configure Multi Admin Approval in Microsoft Intune for sensitive actions like device wiping, script deployment, and RBAC changes.

Infrastructure Hardening

  • Implement Microsoft Intune Role-Based Access Control (RBAC) following the principle of least privilege.
  • Deploy Privileged Identity Management (PIM) across Intune and Entra ID to ensure just-in-time access.
  • Configure Microsoft Intune and Entra ID using zero trust principles, leveraging Conditional Access and risk signals.

User Protection

  • Ensure endpoint management policies strictly scope what users and devices specific administrative roles can affect.

Security Awareness

  • Train administrators on the risks of advanced phishing techniques and the importance of privileged access hygiene.
  • Review and update incident response plans to include scenarios involving compromised endpoint management systems.

MITRE ATT&CK Mapping

  • T1078.004 - Valid Accounts: Cloud Accounts
  • T1485 - Data Destruction
  • T1562 - Impair Defenses

Related