Inside the Italian Endpoint Meltdown: How a Single Compromised Account Wiped Out 12 Petabytes
Subtitle: A cyber assault on healthcare giant Stryker exposes the hidden dangers of unchecked admin power in Microsoft Intune-and why Italy’s CSIRT is demanding urgent reforms.
It began with a single, seemingly innocuous login. Within hours, tens of thousands of devices-laptops, servers, smartphones-across a major healthcare company were electronically wiped, their data vanished, their operations paralyzed. The culprit? Not malware, but the silent abuse of legitimate administrative powers within Microsoft Intune. The attack, analyzed in depth by Italy’s Computer Security Incident Response Team (CSIRT), has triggered alarm bells across Europe and the United States, forcing organizations to reckon with the invisible threats lurking in their own IT back offices.
The Anatomy of an Invisible Hack
The March 2026 breach at Stryker reads like a cyber-thriller. Investigators determined that the attackers didn’t leverage any new software vulnerabilities. Instead, they relied on spear-phishing and social engineering to compromise an admin account-using techniques like “MFA fatigue” (bombarding admins with push notifications until one is mistakenly approved) and session hijacking (stealing authentication tokens to bypass multi-factor authentication). Once inside, the attackers moved laterally, escalating privileges until they seized control of the Microsoft Intune console.
What followed was devastatingly simple: using legitimate Mobile Device Management (MDM) tools, they issued a ‘Remote Wipe’ command across the company’s entire device fleet. Because the attack used standard admin functions, traditional security tools-reliant on malware signatures or behavioral heuristics-failed to raise the alarm. In minutes, production processes and critical healthcare services ground to a halt, with 12 petabytes of data erased beyond recovery.
Mitigation: CSIRT’s Mandate for Multi-Admin Approval
CSIRT Italy’s response is unequivocal: organizations must implement Multi-Admin Approval (MAA) on Microsoft Intune. This means that any high-impact action-like wiping devices or changing critical configurations-requires manual validation by at least two separate administrators, with all actions logged for auditability. The principle is simple: no single compromised account can bring down an entire enterprise.
Other urgent recommendations include switching to phishing-resistant authentication methods (like FIDO2 keys), adopting just-in-time privilege assignment, enforcing conditional access based on device compliance and location, and proactively monitoring logs for unusual activity spikes-especially mass wipe commands.
International agencies are taking note. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are now coordinating with European partners to uncover further threats and refine mitigation strategies. The message is clear: in the era of cloud management, the most dangerous attacks may not come from rogue code, but from the misuse of trusted tools.
Conclusion: Trust, But Verify-Always
The Stryker incident is a stark reminder that convenience and centralized control, when left unchecked, can become existential liabilities. As organizations worldwide rush to the cloud, the real question isn’t just how to keep hackers out-but how to keep insiders, or those masquerading as insiders, from turning legitimate privileges into weapons of mass disruption. The era of “one admin to rule them all” is over-at least, for those who heed the warning.
WIKICROOK
- Endpoint Management: Endpoint management lets organizations monitor, secure, and control all network-connected devices-like computers and smartphones-from one central platform.
- Multi: Multi refers to using a combination of different technologies or systems-like LEO and GEO satellites-to improve reliability, coverage, and security.
- MFA Fatigue: MFA Fatigue is when attackers overwhelm users with repeated authentication requests, hoping users approve one out of frustration or confusion.
- Remote Wipe: Remote wipe allows administrators to erase data from devices remotely, protecting sensitive information if a device is lost, stolen, or compromised.
- Privileged Identity Management (PIM): Privileged Identity Management (PIM) secures and monitors high-level accounts, limiting access and reducing risks of unauthorized actions or data breaches.




