Security

ACR Stealer Campaigns: ClickFix Threats Rise

3 min read

Summary

Microsoft reports increased ACR Stealer activity targeting enterprises through ClickFix social engineering, with two intrusion chains using WebDAV, Python loaders, MSHTA, obfuscated PowerShell, and steganography. The campaigns focus on stealing browser credentials, session tokens, and sensitive documents, making early detection and user awareness critical for defenders.

Need help with Security?Talk to an Expert

Introduction

Microsoft has published new research on a rise in ACR Stealer activity observed from late April to mid-June 2026. For IT and security teams, this matters because the malware is designed to steal browser credentials, authentication tokens, and enterprise documents that can lead to account compromise and broader cloud intrusion.

What’s new

Microsoft Defender Experts highlighted two prevalent ACR Stealer intrusion chains, both starting with ClickFix social engineering that tricks users into running attacker-supplied commands.

Campaign 1: WebDAV, Python loaders, and blockchain-backed C2

  • Uses ClickFix prompts likely delivered through malvertising or manipulated search results.
  • Launches cmd.exe and rundll32.exe to load a DLL from a remote WebDAV share over HTTPS.
  • In some variants, uses pushd to map the remote WebDAV path as a local drive and conhost.exe --headless to reduce visibility.
  • Runs heavily obfuscated PowerShell to download and install additional payloads.
  • Deploys a bundled pythonw.exe loader, creates scheduled task persistence, and copies trusted file timestamps to reduce forensic visibility.
  • In some cases, resolves command-and-control using blockchain dead-drop infrastructure.

Campaign 2: MSHTA, PowerShell, and steganography

  • Takes a more fileless approach.
  • Uses MSHTA to initiate execution.
  • Relies on obfuscated PowerShell and steganography-assisted in-memory payload delivery.
  • Still ends with the same objective: stealing credentials and sensitive enterprise data.

Impact on administrators

The biggest risk is not just credential theft, but what comes next. Stolen browser passwords, cookies, and session tokens can enable unauthorized access to Microsoft 365, cloud apps, and internal resources. Microsoft also notes that the malware targets files such as PDFs, Microsoft 365 documents, and content in OneDrive and SharePoint-synced folders.

Defender for Endpoint can help detect behaviors tied to these campaigns, including:

  • Suspicious WebDAV and MSHTA activity
  • Obfuscated PowerShell execution
  • Scheduled task persistence
  • In-memory payload execution
  • Attempts to access browser credential stores
  • Educate users to avoid ClickFix-style prompts that ask them to run commands.
  • Hunt for rundll32, MSHTA, and PowerShell launched from unusual parent processes.
  • Monitor for WebDAV connections, especially GUID-like paths and suspicious remote shares.
  • Review endpoints for hidden or disguised scheduled tasks.
  • Validate Defender detections for browser credential theft and living-off-the-land activity.
  • Investigate access to sensitive files in OneDrive and SharePoint synced directories.

Organizations should treat the indicators and techniques in Microsoft’s report as representative of a broader and still-evolving ACR Stealer threat landscape.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

ACR StealerClickFixMicrosoft Defender for EndpointPowerShellcredential theft

Related Posts

Security

AI Agent Least Privilege: Identity and RBAC Guide

Microsoft is urging organizations to treat AI agents as first-class identities with tightly scoped access, explicit role assignments, and controlled tool bindings. The guidance matters because agentic workflows can span multiple systems, increasing the blast radius of misconfigured permissions, weak audit trails, and unclear accountability.

Security

AsyncAPI npm Supply Chain Attack: Import-Time Malware

Microsoft Threat Intelligence uncovered a coordinated compromise of the AsyncAPI npm organization that republished five package versions with malicious code that runs when packages are imported, not just installed. The incident matters because common mitigations like npm install --ignore-scripts do not stop this technique, putting developer workstations, CI/CD pipelines, and production services at risk if they resolved the affected versions.

Security

Defender Experts Adds Threat Intelligence and MDR

Microsoft has launched Defender Experts Threat Intelligence and expanded Defender Experts MDR with third-party and multi-cloud coverage powered by Microsoft Sentinel. The update helps security teams turn threat intelligence into action faster by combining expert-led guidance, unified Defender portal workflows, and broader cross-platform incident response.

Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.

Security

Microsoft Entra ID Passkeys Default Rollout Dates

Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.

Security

Microsoft Secure Future Initiative July 2026 Update

Microsoft’s July 2026 Secure Future Initiative progress report highlights major security gains across identity, cloud resource isolation, vulnerability remediation, and AI-driven defense. The update matters to IT and security teams because it pairs measurable hardening progress with practical guidance on phishing-resistant MFA, secure defaults, composite attack paths, and post-quantum readiness.