
Microsoft details ACR Stealer campaigns using ClickFix lures and living-off-the-land tools
Microsoft says ACR Stealer campaigns are using ClickFix lures, WebDAV, MSHTA and PowerShell to steal enterprise credentials.
Microsoft has published new threat research on ACR Stealer, warning that two recent intrusion chains are using ClickFix social engineering to move from a user prompt into credential theft. The July 16 report from Microsoft Security Research says Defender Experts observed increased ACR Stealer activity across customer environments from late April through mid-June 2026, with campaigns aimed at browser credentials, authentication tokens and sensitive enterprise documents.
ClickFix attacks try to make a victim run a command while believing they are fixing a routine problem, such as a verification or browser issue. In the first chain described by Microsoft, that command leads to remote WebDAV-hosted payloads, staged PowerShell, Python-based loaders and hidden scheduled-task persistence. Microsoft says some observed activity also used blockchain-backed dead-drop resolution for command-and-control data.
The second chain takes a less disk-heavy path. It starts with a similar ClickFix lure but moves through MSHTA, obfuscated PowerShell and steganography-assisted in-memory execution. Microsoft maps the campaigns to common Windows living-off-the-land tools, including rundll32.exe and mshta.exe, which makes the activity especially relevant for defenders who rely on behavioral detection rather than simple file matching.
Why It Matters
Information stealers have become a practical bridge between low-friction social engineering and larger account compromise. Browser password stores, cookies and session tokens can give attackers access to cloud services even when a target never types a password into a fake login page. That makes ACR Stealer more than a nuisance infection: a successful run can expose authentication artifacts that enable unauthorized access, data theft or follow-on intrusion.
The report is also a reminder that supply chains and AI-themed lures are not the only current software risk. A well-timed instruction to paste or run a command can still defeat users who are otherwise cautious about attachments. Microsoft recommends monitoring for ClickFix patterns, suspicious WebDAV and MSHTA activity, obfuscated PowerShell, hidden scheduled tasks and attempts to access browser credential stores.
- Microsoft says the observed campaigns were active across customer environments from late April to mid-June 2026.
- Both chains begin with ClickFix social engineering and then diverge in payload delivery and evasion.
- Defensive guidance includes PowerShell logging, EDR block mode, tamper protection and hunting for suspicious WebDAV or MSHTA execution.
Sources
Cover photo by Sora Shimazaki on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment