📖 4 min read

NETWORK SIGNAL THIS WEEK

Activity across DoGood member submissions:

Identity stack evaluations (credential, PAM, IAM, zero trust): ↑ nearly 2x YoY

Third-party vendor risk mentions: ↑ 4.5x YoY

I watched the Stryker story break Tuesday morning and spent the rest of the day reading Reddit threads from employees watching their phones get wiped in real time.

Identity-related priorities nearly doubled year-over-year. Third-party vendor risk mentions grew more than four-fold.

Three stories this week show why this pattern is accelerating.

What happened On March 11, Iranian-linked hacktivist group Handala claimed a destructive cyberattack against Stryker, the Fortune 500 medical technology company ($25B revenue, 56,000 employees). Stryker confirmed a "severe, global disruption" to its Microsoft environment. Employees across the US, Ireland, Australia, and India lost access to laptops, phones, and internal systems within minutes. According to a source who spoke to Krebs on Security, the attackers used Microsoft Intune to issue remote wipe commands against all connected devices. The MDM platform Stryker relied on to enforce security became the delivery mechanism for the attack.

Why it matters Intune is designed to let IT teams remotely manage and wipe devices. An attacker with admin access has the same capability across every enrolled device globally. Stryker employees were told to uninstall Intune, Company Portal, Teams, and VPN from personal devices. Some lost personal data from BYOD devices enrolled in corporate management. The attack didn't require custom malware. It used the management tool exactly as designed, just with the wrong hands on the console.

What leaders are doing Organizations are reviewing who has administrative access to their MDM platforms and whether those accounts carry the same protections as domain admin. The question sharpening internal conversations: if someone compromised our Intune tenant, what's the blast radius? For most, the answer is every managed device in the fleet.

Source: Krebs on Security / TechCrunch / SecurityWeek

📡 Network signal: "Today we do not have the capability to locate lost or stolen devices, and certainly cannot secure them. A remote wipe capability would be great." — Director, Network Services & Security, Global Law Firm. At Stryker, that exact capability became the weapon.

What happened SentinelOne's incident response team published findings this week from multiple FortiGate compromises in early 2026. Attackers exploited known Fortinet authentication bypass flaws or weak credentials to access FortiGate appliances, then extracted configuration files containing encrypted service account LDAP credentials. The encryption is reversible. In one case, attackers decrypted the credentials, authenticated to Active Directory, and enrolled rogue workstations. In another, they exfiltrated the NTDS.dit file containing every credential in the domain. Healthcare, government, and MSPs were targeted. A consistent finding: organizations did not retain sufficient logs to determine how or when attackers gained access.

Why it matters FortiGate appliances sit at the network boundary and integrate with Active Directory by design. That means the configuration file isn't just firewall rules. It contains admin accounts, VPN credentials, internal IP ranges, and the service account keys to your domain. The attackers didn't crack passwords. They decrypted them from a file the appliance stores by default. The pattern is consistent with initial access brokers selling footholds to ransomware operators.

What leaders are doing Organizations are rotating all AD and LDAP service account credentials stored in Fortinet configurations, regardless of patch status. Security teams are extending log retention on edge appliances to 60-90 days minimum. The broader conversation: if your firewall vendor stores reversible credentials in config files, that's a design decision worth raising at renewal.

Source: SentinelOne DFIR

📡 Network signal: Third-party vendor risk mentions in our network grew more than four-fold year-over-year. One cybersecurity leader this month said they are "often caught off guard by customers reaching out as a result of one of our third-party vendors having an incident." The FortiGate findings show how that cascade starts.

What happened Microsoft's March 2026 Patch Tuesday addressed 82 vulnerabilities. Two critical Office remote code execution flaws stand out: CVE-2026-26110 and CVE-2026-26113 (both CVSS 8.4). Both exploit the Preview Pane. An attacker sends a crafted file. The recipient doesn't open it. Previewing it in Outlook or File Explorer executes the code. No interaction required. Microsoft also patched a PrintNightmare-like print queue flaw (CVE-2026-23669) and disclosed two zero-days, neither actively exploited yet.

Why it matters "Don't open suspicious attachments" has been the foundation of email security training for two decades. These flaws bypass that entirely. The Preview Pane processes the file before the user decides whether to open it. This is the second time in three months that Office security feature bypasses have appeared in Patch Tuesday. The pattern: controls users have been trained to rely on are increasingly irrelevant to how attacks actually execute.

What leaders are doing Organizations are pushing March patches ahead of normal cycles, with priority on environments where users receive external attachments. Some are evaluating whether the Preview Pane can be disabled across managed Outlook deployments as defense-in-depth.

Source: CrowdStrike / BleepingComputer

📡 Network signal: Vulnerability management and exposure reduction appear in more than 1 in 20 submissions this quarter. When the Preview Pane becomes an execution channel, the question isn't whether to patch. It's how fast.

The thread across all three stories: management tools and trusted infrastructure are the attack surface.

Identity stack evaluations in our network nearly doubled year-over-year. Nearly 1 in 10 submissions now reference credential management, PAM, IAM, or zero trust. When an MDM platform can wipe every device globally and a firewall config file can unlock your domain, the identity layer governing access to those tools isn't a security project. It's the security project.

"Often caught off guard by our customers reaching out as a result of one of our third-party vendors having an incident." — Head of Cybersecurity Strategy & Operations, Global Software Company

That's the downstream reality. When Stryker goes dark, hospitals feel it. When a FortiGate at an MSP is compromised, every customer downstream is exposed.

1. If someone compromised our MDM admin console, what's the blast radius? Stryker's attackers used Intune to wipe devices across 79 countries. Your MDM has that same capability by design. Who has admin access, and how is it protected?

2. What credentials are stored in our edge appliance configuration files? SentinelOne found FortiGate configs containing AD service account credentials in reversible encryption. If someone extracted your firewall's config file today, what would they find?

3. Can a file execute code on our systems before a user opens it? The March Patch Tuesday Office flaws exploit the Preview Pane. No click, no macro warning. Is your patch pipeline fast enough to close that window?

5,000+ senior IT leaders at companies averaging $24B in revenue sharing real buying-motion data. Not surveys. Not analyst projections. What operators are actually purchasing, replacing, and escalating. Every meeting is opt-in, pre-screened, and paid ($200-400). You control your calendar. Apply to Join →