Mass erasing in the cloud and the risk of endpoints management

On the morning of March 11, he left one of the major health sector companies with major interruptions: thousands of cloud-managed equipment were remotely deleted and, according to statements from the group that claimed the attack, terabytes of information were removed. What differentiates this incident from other malware attacks is that the aggressors did not need to deploy a worm or a ansomware on each machine; they took advantage of the administrative capabilities of a cloud endpoint management tool to run a massive erasing.

The tool in question is Microsoft Intune, a service that many organizations use to control and protect corporate devices. Intune includes legitimate and powerful functions, such as the possibility of remote removal of data from a computer to protect assets when a device is lost or stolen. But that same capacity can become a vector of damage if an attacker achieves administrative privileges. On what has happened in Stryker, specialized means have been reported; an analysis of the chronology and techniques used can be found at BleepingComputer.

Following the incident, the United States Infrastructure and Cybersecurity Agency issued a notice urging organizations of all kinds to strengthen their endpoints management systems. In this statement the agency recommends measures of hardening that go beyond a single product: it is about applying administrative safety principles to reduce the attack surface and contain the impact if an account is compromised. The CISA text is available at public alert.

Microsoft, for its part, published specific guidance to protect Intune environments and better control who can make critical actions from the cloud. Its recommendations underline the need to move from relying on "reliable" managers to designing a safe administration from the beginning: to minimize privileges, to verify identity with modern controls and to require approvals for sensitive operations. Microsoft's official guidelines for strengthening Intune can be found on its technical blog at Tech Community, and the documentation on the remote deletion function is in the Intune documentation in Microsoft Learn.

What practical lessons does this incident leave? First, role and permit management must follow the principle of less privilege: not all managers need global access. Implementing role-based access controls and avoiding accounts with excessive permits reduces an attacker's ability to cause mass damage only with a compromised account. Secondly, the protection of privileged accounts must be much more demanding: multifactor authentication, conditional access policies that evaluate the login context and temporary privileged access mechanisms (just-in- time) are layers that complicate the work of those who try to raise or usurp privileges.

It is also crucial to establish administrative barriers for operations that may have the greatest impact: erasing actions, changes in role policies or global updates should be subject to double approval mechanisms or control flows involving several responsible actors. In parallel, telemetry, audit records and real-time alerts allow for early detection of side movements or creation of suspicious accounts; without adequate telemetry, an intruder can create an administrator and act without being seen.

The actor who claimed the intrusion, known as Handala or with other aliases, is described by analysts as a hacktivist group with links to Iranian state structures and with a history of using draft malware in previous campaigns. Research and context reports on this group and its recent operations can be found in the analysis of Palo Alto Networks Unit 42 his report on Iranian attacks in 2026. The pattern that Handala shows - exfiltration followed by disfiguration or data erasing - is especially dangerous for critical organizations where the availability and integrity of information are vital.

Beyond the adversary's technique and tactics, there is an organizational dimension that deserves attention: recovery tests and contingency plans. Having a system that allows remote deletion does not replace robust support policies, network segmentation and verifiable recovery procedures. Test commitment scenarios, regularly review permissions and have protected break-glass accounts are practices that help to recover operations at lower cost when something fails.

The message of authorities and manufacturers is clear and urgent: powerful tools in legitimate hands facilitate management, but in the hands of a privileged attacker can create a massive cessation of operations. For this reason, in addition to implementing the recommendations published by Microsoft and CISA, it is appropriate for security teams to review their configurations, audit recent accesses and raise additional controls for critical actions. Cloud security is both technical and process; the combination of both is the one that actually reduces the risk.

If your organization uses Intune or any endpoints management platform, it is recommended to review the above-mentioned guides, verify roles and authentication, and coordinate with the area of risk and continuity to ensure that there is recovery capacity. To consult the official sources will give you a solid reference to prioritize measures: Microsoft guide, CISA alert and the technical reports on the actor behind the attack as the Unit 42 are good starting points to understand the scope and apply effective defenses.