On 11 March 2026, medical technology company Stryker, a Fortune 500 business with 56,000 employees across 61 countries, suffered one of the most operationally destructive cyberattacks in recent memory. Over 200,000 devices were wiped. Offices in 79 countries, including Stryker's largest facility outside the United States in Cork, Ireland, went dark. Employees were instructed to disconnect everything immediately and not power on company-issued devices.
What makes this incident significant is not simply the scale. It is the method. According to reporting from KrebsOnSecurity, corroborated by employee accounts and an SEC filing from Stryker itself, the attackers did not deploy traditional malware. They allegedly compromised a privileged administrator account and used Microsoft Intune, Stryker's own mobile device management (MDM) platform, to issue remote wipe commands across the entire device fleet. No novel exploit. No sophisticated payload. Just admin credentials and a legitimate enterprise tool turned against its owner.
For organisations across Europe operating Microsoft 365 environments with Intune or equivalent MDM platforms, this is the attack scenario that demands immediate attention.
The Real Vulnerability: Admin Account Access
The Stryker incident exposes a fundamental truth about modern enterprise security: whoever controls the admin plane controls everything beneath it. An attacker with valid credentials to an Intune Administrator or Global Administrator account can issue wipe commands to every enrolled device in an organisation within minutes. No endpoint detection tool will flag it. It presents as a legitimate administrative action, because it is one, executed by the wrong person.
Threat intelligence firm Flashpoint noted that what made the Stryker incident particularly concerning was the apparent use of enterprise management infrastructure, potentially weaponising Microsoft Intune, to carry out destructive activity at scale.
The question for every IT and security leader in Europe is straightforward: what stands between an attacker and your MDM administrator console?
If the answer is a username, a password, and a software-based one-time password, the answer does not meet the threat level you are now operating against.
Phishing-Resistant MFA Is Not Optional for Privileged Accounts
Not all multi-factor authentication provides equivalent protection. SMS one-time passwords and authenticator push notifications can both be defeated through SIM swapping, real-time adversary-in-the-middle phishing proxies, and MFA fatigue attacks. These are not theoretical risks. They are active techniques used by the threat actors behind incidents like Stryker.
Phishing-resistant MFA, specifically FIDO2 hardware security keys such as the YubiKey, operates on a fundamentally different model. The authentication is cryptographically bound to the specific origin of the service being accessed. A spoofed login page cannot complete the handshake. There is no code to intercept, no push notification to approve, no one-time password to harvest.
There is a second property of hardware security keys that is particularly critical for privileged account protection: physical presence.
When an administrator authenticates with a YubiKey, they must physically touch the device. The key must be in their hand, connected to their workstation, at the precise moment of authentication. This constraint makes remote account takeover categorically harder. An attacker who has obtained credentials through phishing or credential stuffing, operating from another continent, cannot complete the authentication. They do not have the physical token. They cannot simulate the touch.
For administrative accounts with the power to wipe an entire global device fleet, requiring physical presence at the point of authentication is not a supplementary control. It is a foundational one.
Step-Up Authentication for Privileged Actions
Beyond securing the initial login session, organisations should implement step-up authentication for high-impact administrative actions. This requires a fresh, phishing-resistant authentication challenge at the point of performing a destructive or sensitive operation, independent of existing session state.
In practice: even if an attacker were to gain access to an active authenticated admin session, they cannot execute a bulk device wipe, modify Conditional Access policies, or alter global configuration settings without completing an additional hardware-key-bound challenge in that moment.
This is directly implementable across the Microsoft stack and other platforms:
- Microsoft Entra ID Conditional Access: Build policies that require phishing-resistant MFA, with Authentication Strength set to "FIDO2 security key", specifically for access to the Intune admin centre, Entra admin centre, Azure portal, and Microsoft 365 admin centre. Scope these to privileged administrator accounts or Privileged Access Groups.
- Privileged Identity Management (PIM): Require phishing-resistant MFA as an activation requirement for elevated roles including Global Administrator, Intune Administrator, Security Administrator, and Conditional Access Administrator. Roles are held inactive and must be explicitly activated with hardware key authentication on a just-in-time basis. This eliminates standing privileged access and dramatically reduces the window of exposure.
- Authentication Strengths: Entra ID's Authentication Strengths feature allows definition of a named policy (for example, "Privileged Admin - FIDO2 Required") that mandates FIDO2 security key authentication and excludes weaker methods such as SMS or push notification. Apply this as the required authentication strength in Conditional Access rules targeting admin portals.
- Jamf Pro, Workspace ONE, and other MDM platforms: Apply equivalent controls at the identity provider layer. Any account with MDM administrative capabilities, meaning the ability to enrol, wipe, or manage devices, should require hardware key authentication. Where the platform supports it, require re-authentication before bulk or destructive actions are executed.
Implementing YubiKey for Admin Account Protection
For organisations across Europe looking to implement hardware security key authentication for administrative accounts, the implementation path is practical:
- Map your blast radius accounts. Global Administrators, Intune Administrators, Security Administrators, Exchange Administrators, and break-glass recovery accounts. These are your highest-priority targets. Start the rollout here.
- Register FIDO2 YubiKeys against each admin account in Entra ID. A minimum of two keys per administrator is recommended, one in daily use and one stored securely (typically in a physical safe) as a backup.
- Build Conditional Access policies enforcing Authentication Strength: FIDO2 for all admin portal access. Block legacy authentication protocols for privileged accounts entirely.
- Enable PIM for all privileged roles with phishing-resistant MFA required on activation. Set appropriate activation windows (four to eight hours is typical) and require justification and approval for sensitive role activations.
- Establish a regular audit cadence. Review active role assignments quarterly, convert permanent privileged access to PIM-eligible, and verify hardware key registrations are current for all admin accounts.
For most Microsoft 365 environments this is achievable within days. The risk reduction to privileged account compromise is immediate and material.
The NIS2 Dimension
European organisations subject to the NIS2 Directive have additional regulatory context to consider. NIS2 Article 21 requires essential and important entities to implement multi-factor authentication or continuous authentication solutions as part of their cybersecurity risk management measures. The implementing guidelines from ENISA make clear that phishing-resistant authentication, not simply any form of MFA, is the expected standard for privileged access in high-risk environments.
The Stryker attack is precisely the scenario NIS2's risk management requirements are designed to guard against. An organisation's Intune or equivalent MDM administrator console is as critical an asset as any network perimeter system, arguably more so, because it provides authenticated, legitimate-looking access to wipe, configure, or reprovision every managed device in the estate.
National competent authorities across the EU are increasing their scrutiny of MFA implementation quality, not merely MFA adoption. Demonstrating that privileged accounts are protected with phishing-resistant hardware authentication is an increasingly expected element of NIS2 compliance documentation.
How Trust Panda Can Help
Trust Panda is a specialist identity security reseller operating across Europe, with deep expertise in YubiKey deployment, Conditional Access architecture, and phishing-resistant MFA implementation within Microsoft and other enterprise environments. We work with organisations across the EU, from mid-market businesses through to large enterprises, to design and implement privileged account protection programmes that align with NIS2 requirements and current threat realities.
If you would like to review your privileged account protection posture or discuss a YubiKey deployment, get in touch with our team.
