CISA Warns of Endpoint Management Attacks Following Stryker Incident, Urges Zero Trust and Intune Hardening

Federal cybersecurity officials are raising alarms over a growing wave of attacks targeting endpoint management systems across U.S. organizations, following a high-profile breach involving medical technology firm Stryker earlier this month.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed it is actively tracking malicious activity that abuses legitimate endpoint management tools to gain control over enterprise environments. The advisory comes as investigators continue to assess the broader implications of the March 11 incident, which disrupted parts of Stryker’s Microsoft infrastructure and exposed weaknesses in how organizations secure administrative access.

At the center of the warning is a critical shift in attacker behavior. Rather than relying solely on traditional malware or external exploits, threat actors are increasingly leveraging trusted management platforms such as Microsoft Intune to move laterally, escalate privileges, and execute high-impact actions like device wipes or configuration changes.

CISA is now urging organizations to rethink how these systems are configured, emphasizing that endpoint management tools have effectively become a new control plane for enterprise security.

The agency’s guidance focuses heavily on reducing unnecessary access and tightening identity controls. Organizations are advised to adopt least privilege principles across administrative roles, ensuring users only have the permissions required for specific tasks. Role-based access control should be carefully implemented to limit both the scope of actions and the systems those actions can affect.

Another major priority is strengthening authentication. CISA recommends enforcing phishing-resistant multi-factor authentication across all privileged accounts, alongside the use of conditional access policies and risk-based signals within Microsoft Entra ID to prevent unauthorized access attempts.

One of the more notable recommendations involves introducing “multi-admin approval” workflows. This approach requires a second authorized administrator to approve sensitive operations, creating a built-in safeguard against both accidental and malicious changes to critical systems.

Security experts say these measures reflect a broader industry shift toward zero trust architectures, where no user or system is inherently trusted without verification.

“It’s encouraging to see companies, large and small, responding to cybersecurity risk at this fundamental level. We’ve encouraged endpoint (MxDR) protection to improve visibility around the clock and to blend the best artificial intelligence and deep human experience to shut down problems before they spread. The technology is affordable enough now that smaller and midsize hospitals and companies can take advantage of technology that wasn’t available for civilian use three years ago. It’s wonderful to see CISA responding to real threats despite the cuts they’ve weathered recently. We appreciate any support in protecting organizations across the homeland.”

Aaron Warner, CEO of ProCircular, points to the growing accessibility of advanced detection and response capabilities as a key factor in helping organizations close these gaps.

Still, some experts argue the guidance may not go far enough.

“CISA continues to put out on point guidance, which mirrors some previously published by ProCircular’s Keegan Paisley and Willie Zhang on implementing dual controls where supported with Intune’s multi-admin approval workflows. I wonder if they’re going far enough in their recommendations, though.

The industry has strongly recommended that people with elevated privileges have separate accounts for such, enforcing a separation between the administrative user login and the “daily driver” where they get bombarded with email, instant messaging, and the like. Why aren’t we seeing recommendations for separation of the underlying computer as well? Organizations can use conditional access to restrict where a user can log in from… how much more difficult would it be for an attacker compromise an administrator account that can only log in from a machine that has no email, no instant messaging, and the like. Microsoft provides guidance in their article on Securing Privileged Access.

Yes, these types of setups impose friction, and cost on an organization. However, it also imposes cost on the threat actors… and that ultimately has a good ROI.”

Bobby Kuzma, Director of Offensive Operations at ProCircular, highlights the need for stricter operational separation, including the use of dedicated secure workstations for privileged access.

CISA says it is coordinating with federal partners including the FBI to identify additional threats and refine mitigation strategies. The agency is also directing organizations to Microsoft’s latest security best practices for Intune, along with its own guidance on phishing-resistant authentication.

The warning underscores a larger trend shaping enterprise cybersecurity in 2026. As identity and device management platforms become more powerful, they are also becoming prime targets. Securing them is no longer optional. It is foundational to defending modern digital infrastructure.