Table of contents
  1. Who is Handala?
  2. What Happened?
  3. How Did the Attack Work?
  4. Why It Matters
  5. What Does Defense Look Like
  6. Where Obsidian Can Help
  7. Conclusion

Iran Hacktivist Group Handala Weaponizes Microsoft Intune

On the morning of March 11, 2026, employees at Stryker offices around the world switched on their computers and found them wiped. Login screens were replaced with the logo of Handala, an Iran-linked hacktivist group, and corporate systems across dozens of countries went dark simultaneously.
March 18, 2026
Table of content
  1. Who is Handala?
  2. What Happened?
  3. How Did the Attack Work?
  4. Why It Matters
  5. What Does Defense Look Like
  6. Where Obsidian Can Help
  7. Conclusion

Who is Handala?

Handala Hack is an online persona operated by Void Manticore (also known as Red Sandstorm and Banished Kitten), an actor affiliated with Iran's Ministry of Intelligence and Security (MOIS). Handala's pattern is opportunistic and velocity-focused: compromising lower-security systems, often through supply-chain footholds in IT service providers, exfiltrating data, and timing publication for maximum impact.

What Happened?

On the morning of March 11, 2026, employees at Stryker offices around the world switched on their computers and found them wiped. Login screens were replaced with the logo of Handala, an Iran-linked hacktivist group, and corporate systems across dozens of countries went dark simultaneously. Handala claimed data erasure across more than 200,000 systems, servers, and mobile devices, and the exfiltration of 50 terabytes of corporate data. Rather than a zero-day novel exploit or a new malware strain, this incident centers on a powerful administrative tool that went unmonitored.

How Did the Attack Work?

Security researchers suggest hackers may have broken in using an admin account that granted them near-unlimited access to the company's Windows network; Palo Alto Networks indicate Handala may have relied on either phishing or infostealer malware to steal these initial credentials. Once attackers gained access to Stryker’s Intune environment, they then used it to issue a remote wipe command across all enrolled devices simultaneously. Intune's remote wipe feature is designed for lost or stolen devices, but this legitimate capability was weaponized to execute a large-scale reset.

Why It Matters

Microsoft Intune is a trusted platform. The admin account that issued the wipe was, from the perspective of every system involved, a legitimate, authenticated, authorized user. This is the fundamental problem with how enterprises have extended trust to SaaS platforms. When an organization onboards Intune, they often grant it sweeping permissions over their entire device fleet. When they create an admin account, they grant that account the ability to act on behalf of the organization at scale. That trust is implicit, permanent, and almost never reviewed.

What Does Defense Look Like

Long-Term: The primary defense against this class of attack is treating SaaS management planes with the same rigor as on-premises infrastructure. That means enforcing phishing-resistant MFA on all admin accounts, implementing just-in-time access so that standing admin permissions don't exist by default, and requiring multi-admin approval for any high-impact action. Organizations should also layer identity threat detection and response atop these controls (i.e. monitoring for account abnormalities that may indicate malicious activity). 

Short-Term: Defending against this attack starts with two controls: eliminating standing admin permissions in Intune and Entra ID, and enabling multi-admin approval for destructive actions like device wipe, retire, and delete. 

Where Obsidian Can Help

The Stryker attack didn't beat a security team. It inherited the trust that Stryker had already granted to its SaaS plane. Enterprises have spent years building rigorous controls around on-premises infrastructure, then extended unconditional trust to platforms like Intune and Entra ID with almost none of the same guardrails in place. Obsidian exists to close that gap: continuous visibility into enterprise application activity, privileged account monitoring, and cross-SaaS lateral movement detection across the platforms where that implicit trust lives.

Obsidian has also released a posture rule that raises the bar for such an attack, that erases an actor’s ability to execute mass device operations from Intune.

Obsidian now flags tenants where multi-admin approval is missing or disabled for high-impact Intune actions, meaning that before any destructive action can execute, a second approver is required. It breaks the binary trust model that made this attack possible: no longer can a single compromised credential, however privileged, act unilaterally against an entire device fleet.

Conclusion

The hard lesson here is that powerful administrative platforms require the same scrutiny as the infrastructure they manage. That scrutiny — behavioral monitoring, privileged access controls, approval workflows — is exactly what's been missing from how enterprises think about SaaS security.