Guardare Continues Expansion in UKI with Amicis Group
Read More ->
March 12, 2026

When an Attacker Logs In Instead of Breaking In

Modern cyberattacks increasingly bypass malware by compromising identities and abusing trusted platforms like Microsoft Intune to gain large scale operational control.
Cybersecurity Trends and Insights

A recently reported incident involving the remote wipe of roughly 200,000 devices highlights a shift in how modern attacks work. The attacker did not deploy malware. Instead, they allegedly used legitimate infrastructure such as Microsoft Intune to execute destructive actions at scale.

In a recent breach involving medical technology company Stryker, attackers reportedly obtained administrative access to the company’s Intune environment and issued remote wipe commands across managed devices using the platform’s built-in capabilities.

This approach is becoming increasingly common as attackers move away from custom malware and instead abuse trusted cloud services and enterprise administration platforms.

Security researchers now warn that identity compromise has effectively become the dominant attack surface inside modern organizations, allowing attackers to operate inside environments using legitimate credentials and infrastructure.

Understanding which identities or permissions could allow that level of control is now one of the most important problems in cybersecurity.

The Attack Surface No One Talks About

For years the industry has focused on detecting malicious software.

Antivirus evolved into EDR.
EDR evolved into XDR.

Yet many of the most disruptive incidents now involve no malware at all.

An attacker gains access to an identity. That identity already has the permissions needed to operate critical infrastructure. The attacker simply uses the environment the same way administrators do.

Device management platforms are a perfect example. Tools like Microsoft Intune exist to manage large fleets of devices. They can deploy software, enforce policy, update configurations and in some cases wipe devices remotely.

Those capabilities are extremely useful for IT teams. They are also extremely dangerous if the wrong person gains access.

From a security monitoring perspective, the activity can appear legitimate because the platform itself is behaving exactly as designed.

The Real Risk Exists Before the Attack

Most organizations already know they have thousands of vulnerabilities and misconfigurations across their environment. The challenge is figuring out which ones actually matter.

Guardare focuses on identifying exposures that could lead to real operational impact rather than simply cataloging technical issues.

By correlating identity systems, endpoint management platforms and cloud infrastructure, Guardare helps security teams understand how an attacker could move through the environment after gaining access.

For example, an exposure might look like this.

A privileged Azure or Entra identity has administrative access to Microsoft Intune. That role allows remote control over a large percentage of corporate devices. If that identity is compromised, the attacker does not need to deploy ransomware or custom malware. They can simply issue commands through the device management platform. That kind of insight allows security teams to address the problem before an attacker discovers it.

How Attack Chains Actually Form

Management platforms such as Intune become dangerous when they are combined with identity compromise. Guardare continuously maps relationships between identities, permissions and administrative platforms to identify high risk attack paths.

A typical chain might begin with something very simple.

An employee identity is phished.

That account has indirect privilege escalation potential through group membership or role assignment.

The privilege escalation leads to a device management administrative role.

That role provides control over the organization’s device fleet.

At that point the attacker no longer needs to exploit anything. They simply use the same tools administrators use every day.

When security teams can see these pathways in advance, they can remove the conditions that allow the chain to exist.

Not All Exposures Are Equal

Security teams are constantly asked to prioritize remediation across thousands of alerts. Traditional vulnerability management does not always help because it treats every technical issue as a separate item. In reality the impact of each exposure is very different.

Guardare prioritizes exposures based on operational risk.

This includes factors such as potential business disruption, access to critical systems, lateral movement potential and the ability to control large portions of the environment. An exposure that could enable global device management or large scale endpoint control would immediately rank as a severe risk. That type of prioritization allows security teams to focus on issues that could genuinely disrupt operations.

Containing the Damage When Identity Is Compromised

Identity compromise remains one of the most common entry points for attackers.

Phishing campaigns, credential theft and social engineering are still effective because they target people rather than software.

The important question is what happens next.

Guardare helps organizations identify structural weaknesses that increase the potential damage of a compromised identity.

These often include excessive administrative privileges, device management roles that control entire fleets and poor separation between different administrative functions.

Reducing those conditions dramatically limits the scale of a potential attack.

An attacker might still obtain credentials. What they can do with those credentials becomes far more limited.

Key Takeaways 

Cyber attacks are evolving in a way that many traditional security tools were never designed to address.

Instead of writing malware, attackers increasingly take advantage of existing infrastructure. Identity platforms, management systems and administrative tools are now part of the attack surface.

Security teams therefore need visibility into the exposures that could enable catastrophic actions inside their own environment.

Which identities could control device fleets.
Which permissions allow access to management platforms.
Which combinations of roles create unintended administrative power.

Understanding those relationships before an attacker does is becoming one of the most important capabilities in modern cybersecurity.

Because in many incidents today, the attacker does not need to break in.

They simply log in.

AUTHOR
Dane Fiori

Dane Fiori, Founder of Guardare, is a dynamic technology executive and innovative sales leader with a remarkable track record of driving year-over-year growth and scaling hyper-growth SaaS companies. Dane’s vision is to simplify cybersecurity for organizations and make robust security accessible and equitable, no matter the resources available.

Request a demo →

Recent Posts

The Guard Posts is your go-to source for the latest cybersecurity news, industry events, and exclusive updates from Guardare.

December 30, 2025
Why Guardare Is Different: Guardare Founders Join Secure Insights Podcast

Hear Guardare’s founders on Secure Insights with NDK Cyber as they unpack tool sprawl, unified exposure management, and AI that works with security teams.

December 4, 2025
Top 5 Cybersecurity Hacks of 2025 | Biggest Breaches

Explore the biggest cyberattacks of 2025, from the CBO hack to supply-chain breaches, and what they mean for cybersecurity in 2026.

November 21, 2025
Network Security Best Practices for Healthcare: Protecting Patient Data & Ensuring Compliance

Discover network security best practices for healthcare organizations to protect patient data, meet HIPAA requirements, and strengthen cyber resilience.