On 11 March 2026, medical technology company Stryker, a Fortune 500 business with 56,000 employees across 61 countries, suffered one of the most operationally destructive cyberattacks in recent memory. Over 200,000 devices were wiped. Offices in 79 countries went dark. Employees were told to disconnect everything immediately and not turn on company-issued devices.
What makes this incident worth examining isn't the scale alone. It's the method. According to reporting from KrebsOnSecurity and corroborated by employee accounts, the attackers did not deploy traditional malware. They allegedly compromised a privileged administrator account and used Microsoft Intune, Stryker's own mobile device management (MDM) platform, to issue remote wipe commands across the entire fleet. No novel exploit. No sophisticated payload. Just admin credentials and a legitimate enterprise tool turned against its owner.
This is the attack pattern every New Zealand organisation running Microsoft 365 and Intune should be thinking about today.
The Real Vulnerability: Admin Account Access
The Stryker incident makes a fundamental truth hard to ignore: whoever controls the admin plane controls everything beneath it. An attacker with valid credentials to an Intune Administrator or Global Administrator account can issue wipe commands to every enrolled device in minutes. No endpoint detection tool will flag it. No antivirus will intervene. It presents as a legitimate administrative action, because it is one, executed by the wrong person.
The question for every IT manager and business owner in New Zealand is simple: what stands between an attacker and your MDM admin console?
If the answer is a username, a password, and an SMS code, or worse, just credentials, the answer isn't sufficient.
Phishing-Resistant MFA Is Not Optional for Privileged Accounts
Not all multi-factor authentication is equal. SMS one-time passwords and authenticator app push notifications can both be defeated via SIM swapping, real-time phishing proxies, and MFA fatigue attacks (push bombing). These are not theoretical vulnerabilities; they are documented techniques used by the same category of threat actors behind incidents like Stryker.
Phishing-resistant MFA, specifically FIDO2 hardware security keys such as the YubiKey, operates on a fundamentally different model. Authentication is cryptographically bound to the specific origin of the service. A spoofed login page cannot complete the handshake. There is no code to intercept, no push to approve, no one-time password to harvest.
There is a second property of hardware keys that matters greatly for privileged account protection: physical presence.
When an administrator authenticates with a YubiKey, they must physically touch the device. The key must be in their hand, connected to their machine, at the moment of authentication. This single constraint makes remote account takeover categorically harder. An attacker operating from overseas who has obtained credentials cannot complete the authentication. They don't have the physical token, and they cannot fake the touch.
For administrative accounts capable of wiping an entire device fleet, this physical presence requirement is a fundamental control, not an optional enhancement.
Step-Up Authentication for Privileged Actions
Beyond securing the initial login, organisations should implement step-up authentication for high-impact administrative actions. This means requiring a fresh, phishing-resistant authentication challenge at the point of performing a destructive or sensitive operation, regardless of existing session state.
In practice: even if an attacker somehow gains access to an authenticated admin session, they still cannot execute a bulk device wipe, modify access policies, or make global configuration changes without completing an additional hardware-key-bound challenge at that moment.
This is directly implementable in the Microsoft stack:
- Microsoft Entra ID Conditional Access: Build policies requiring phishing-resistant MFA (Authentication Strength: FIDO2 security key) specifically for access to the Intune admin centre, Entra admin centre, and Azure portal. Scope to privileged admin accounts.
- Privileged Identity Management (PIM): Require phishing-resistant MFA as a condition for activating elevated roles including Global Administrator, Intune Administrator, and Security Administrator. Roles sit inactive and must be explicitly activated with hardware key authentication. This limits standing privileged access.
- Authentication Strengths: Use Entra ID's Authentication Strengths feature to define a named policy (e.g., "Privileged Admin MFA") that requires FIDO2 and excludes weaker methods. Apply this within Conditional Access rules targeting admin portals.
- Other MDM platforms: Organisations running Jamf Pro, Workspace ONE, or similar should apply equivalent controls at the identity provider level, enforcing hardware key authentication for any account with device management capabilities.
Implementing YubiKey for Admin Account Protection
For New Zealand organisations looking to implement hardware security key authentication for administrative accounts, the approach is practical and achievable:
- Identify your highest-risk accounts. Global Administrators, Intune Administrators, Security Administrators, Exchange Administrators, and break-glass accounts are your blast radius accounts. Start here.
- Register FIDO2 YubiKeys against each admin account in Entra ID. Minimum two keys per administrator, one for daily use and one stored securely as a backup.
- Build Conditional Access policies enforcing Authentication Strength: FIDO2 for access to admin portals. Block legacy authentication protocols for privileged accounts entirely.
- Enable PIM for all privileged roles and require phishing-resistant MFA on activation. Set appropriate activation windows (4-8 hours is typical) to limit standing access.
- Audit and maintain. Regularly review role assignments, identify accounts with permanent privileged access that should move to PIM-eligible, and confirm hardware key registrations are current.
For most Microsoft 365 environments this is implementable within days. The risk reduction is immediate.
The New Zealand Context
The Stryker attack is a timely reminder that the global threat landscape has direct relevance for New Zealand organisations. The National Cyber Security Centre (NCSC) has consistently highlighted identity-based attacks, including credential compromise, MFA bypass, and privileged account abuse, as primary vectors in incidents affecting New Zealand businesses.
The New Zealand Information Security Manual (NZISM) and the NCSC's guidance on critical controls both emphasise MFA for privileged access. But the Stryker incident makes clear why the type of MFA matters. Phishing-resistant authentication for admin accounts is not a premium addition. It's the baseline that the threat environment now demands.
Hardware security keys are available, deployable, and cost-effective. The gap between standard MFA and phishing-resistant MFA for privileged accounts is the gap that sophisticated threat actors are actively exploiting.
How Trust Panda Can Help
Trust Panda New Zealand is your local specialist in identity security and phishing-resistant authentication. We supply and support YubiKey deployments for New Zealand organisations of all sizes, and can advise on Conditional Access architecture, PIM configuration, and step-up authentication design across the Microsoft stack and other platforms.
If you'd like to review your privileged account protection posture, get in touch with our team.
