Risky Business Features When disaster strykes
Mar 23, 2026
Brad Arkin, experienced security executive and former CISO who advises on incident response and identity risks. They review the Stryker attack and how Intune was weaponized to wipe devices. Discussion covers phishing of powerful admin creds, hardening high‑power access, inventorying fleet tools, AI guardrails, rate‑limiting destructive actions, and recovery challenges after mass wipes.
AI Snips
Chapters
Transcript
Episode notes
Legitimate Admin Access Can Cause Massive Damage
- Valid credentials plus correctly configured Intune can be weaponized to wipe 200,000 devices and 12 petabytes of data.
- The Stryker attack used a phished Intune admin account and standard management features, not malware or a zero day.
Limit Everyday Use Of High Privilege Accounts
- Reduce exposure of high-powered admin credentials by limiting everyday use and requiring isolated, short-lived sessions for admin tasks.
- Use remote desktops and checked-out one-time credentials so admins don't browse or email from high-privilege accounts.
Default Intune Lacks Practical Safety Guards
- Intune has multi-stage approver capability for destructive actions but enterprises often don't enable it by default.
- Default or typical Intune configs lack safeguards, making large-scale wipes feasible if an admin account is compromised.