ACR Stealer attacks via ClickFix: steals tokens, Microsoft 365 documents and OneDrive files

Colleagues, I’d like to draw your attention to a cybersecurity development.
ACR Stealer is being delivered through ClickFix-style prompts: all it takes is pasting a command into Run and pressing Enter.
From there, attackers can harvest saved browser passwords, live session tokens, PDFs and Microsoft 365 documents, as well as files from OneDrive and SharePoint.
The attack chains involve mshta.exe, WebDAV, PowerShell and Python, while part of the malicious activity runs in memory, leaving little visible trace on disk.
Why it matters: there is no CVE here, so protection depends not on patching, but on controlling user actions and restricting the launch of risky utilities.
How do you protect users from paste-and-run attacks?
#cybersecurity #infostealer #Microsoft365 #SOC


Latest comments
No comments yet.