Jessica Entwistle
July 17 2026
Microsoft Defender Experts has observed a significant increase in ACR Stealer activity across enterprise environments between late April and mid-June 2026. Microsoft reports that these campaigns are using ClickFix social engineering lures to trick users into executing malicious commands, leading to the theft of browser credentials, authentication tokens and sensitive documents. The attacks are successfully targeting enterprise environments, exploiting user trust and familiarity with legitimate system prompts to gain initial access. ClickFix techniques typically involve fake error messages or system notifications that instruct users to copy and paste commands into PowerShell or other system tools, bypassing traditional email security controls by relying on user interaction rather than malicious attachments or links. The campaigns have been observed across multiple customer environments, indicating a broad and coordinated effort by attackers to compromise enterprise credentials and gain access to cloud services and internal systems.
This campaign highlights the continuing effectiveness of social engineering techniques that exploit user behaviour rather than technical vulnerabilities. ClickFix lures are particularly concerning because they can bypass email filtering, endpoint detection and other technical controls by relying on the user to execute the malicious payload themselves. For UK businesses, this is a reminder that security awareness and user education remain critical layers of defence, particularly as attackers continue to refine their techniques to appear legitimate and trustworthy. The theft of browser credentials and authentication tokens can lead to account takeover, lateral movement and data exfiltration, making this a high-impact threat for organisations that rely on cloud services, single sign-on or browser-based authentication. The fact that these campaigns are successfully targeting enterprise environments suggests that traditional security controls are not sufficient on their own, and that organisations need to invest in both technical defences and user awareness to manage this type of risk effectively.
Review whether your security awareness training covers social engineering techniques that involve fake system prompts, error messages or instructions to run commands. Consider whether your endpoint detection and response tools are configured to alert on unusual PowerShell activity or command execution, and whether your incident response playbooks include steps for responding to credential theft and token compromise. This is also an opportunity to review how browser-based authentication tokens are managed and protected across your environment, and whether you have controls in place to detect and respond to account takeover or unusual login activity. Consider whether your organisation has clear guidance for users on how to report suspicious prompts or instructions, and whether you have a process in place for validating and responding to those reports quickly. Finally, review whether your technical controls include monitoring for unusual clipboard activity, command execution or browser extension installation, as these are common indicators of ClickFix-style attacks.
Source: Microsoft Security Blog