ACR Stealer ClickFix Campaign Targets Browser Tokens and Microsoft 365 Files

Microsoft says ACR Stealer ClickFix campaigns are stealing browser credentials, session tokens, and Microsoft 365 files. Defenders should hunt WebDAV, mshta, PowerShell, and token abuse.

Microsoft has warned that ACR Stealer activity increased across customer environments from late April through mid-June 2026, with ClickFix lures used to steal browser credentials, session tokens, authentication artifacts, PDFs, and Microsoft 365 documents.[1] The story matters because this is not a normal patch-and-move-on vulnerability alert: the infection begins when a user follows a fake verification or setup prompt and pastes an attacker-supplied command into Windows.

The July 16 Microsoft Defender Experts report describes two notable ACR Stealer intrusion chains. One uses remote WebDAV payloads, staged PowerShell, Python loaders, scheduled-task persistence, and, in some cases, blockchain-backed dead-drop command-and-control resolution. The other takes a more fileless route through mshta.exe, obfuscated PowerShell, and steganography-assisted payload delivery hidden in image data.[1] Both chains converge on the same outcome: stealing browser-stored passwords, cookies, tokens, and local or synced enterprise files.

That makes the campaign relevant far beyond personal password theft. If a compromised endpoint syncs OneDrive or SharePoint content, or if browser tokens remain valid after the first infection, attackers may get a second path into Microsoft 365 data even after a password reset. It also connects to a broader pattern seen in recent HowToFix coverage: attackers are increasingly abusing social engineering and identity material instead of relying only on exploitable software bugs. Earlier examples include ClickFix malware injected through compromised Ghost CMS sites and Microsoft 365 token theft through Evilginx and device-code phishing.

What defenders should check now

Microsoft says defenders should prioritize signs of ClickFix prompts, suspicious WebDAV access, obfuscated PowerShell, rundll32.exe loading remote content, and mshta.exe fetching HTA content over HTTPS.[1] Those signals are useful because the campaign is not built around one fixed exploit. The same social-engineering entry point can hand off to different loaders, domains, and payload staging methods, so blocking only one hash or URL is not enough.

In the WebDAV branch, Microsoft observed commands that cause rundll32.exe to load DLL content from remote shares, sometimes wrapped in pushd or hidden behind conhost --headless. Later stages can drop content under user-writable folders, run Python without a visible window, create hidden scheduled tasks that look like software updates, clear PowerShell history, and execute final payloads in memory.[1] For response teams, the important point is the sequence: browser lure, command interpreter, remote content, script execution, persistence, then credential and file collection.

The second branch is harder to see with simple file-based controls. Microsoft describes mshta.exe launching remote content, a VBScript and PowerShell chain, payload extraction from image data, reflective execution, and credential access against Chromium-based browser stores and DPAPI-protected material.[1] The Hacker News noted that this route can leave fewer disk artifacts while still targeting passwords, cookies, tokens, Desktop and Downloads PDFs, and synchronized Microsoft 365 files.[2]

ACR Stealer is not brand new, but the timing and enterprise impact make the latest campaign worth attention. Red Canary reported that ClearFake reached the top of its April 2026 threat list and that ACR Stealer entered its top ten that month, tied for sixth, after being delivered through paste-and-run style lures.[3] SANS Internet Storm Center separately documented a May 26 fake Claude download page that led to suspected ACR Stealer activity, with indicators including creativecommunityinfo[.]art and enhanceblabber[.]cc also appearing in Microsoft’s campaign details.[4]

For administrators, the immediate checklist is practical. Treat any report of a website asking users to paste commands into Run, Terminal, PowerShell, or a fake installer window as a likely security event, not as failed setup. Review RunMRU, command-line telemetry, WebDAV access over HTTPS, suspicious scheduled tasks, and child processes spawned by explorer.exe, powershell.exe, mshta.exe, and rundll32.exe. If a host looks exposed, isolate it, rotate credentials, revoke potentially stolen tokens, check browser credential-store access, and review Microsoft 365 sign-ins and file access from that user.

Security teams should also reduce the blast radius before the next lure lands. Application control or attack surface reduction rules can restrict script hosts and living-off-the-land binaries from launching internet-delivered content in user-writable paths. Browser password storage should be minimized for privileged users. Conditional Access and MFA still matter, but this campaign is a reminder that valid session tokens and synced files can become the target after the user runs the initial command. Similar supply-chain and infostealer stories, such as the jscrambler npm compromise that dropped an infostealer, show why credential rotation alone is rarely a complete cleanup step.

References

  1. Microsoft Security Blog. “ACR Stealer: Two observed intrusion chains amid increased threat activity.” July 16, 2026.
  2. The Hacker News. “ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files.” July 17, 2026.
  3. Red Canary. “Intelligence Insights: May 2026.” May 2026.
  4. SANS Internet Storm Center. “Possible ACR Stealer From Page Impersonating Claude.” May 26, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment