Microsoft has identified a surge in ACR Stealer malware activity targeting enterprise networks to harvest Microsoft 365 credentials and documents [1].
This campaign represents a significant risk to corporate security because it targets authentication tokens and sensitive cloud storage, allowing attackers to bypass traditional login barriers and access internal SharePoint and OneDrive files.
The Microsoft Defender Experts team said they observed a surge in ACR Stealer activity across customer environments, leveraging ClickFix lures to harvest authentication tokens and documents [1]. The malware has been in circulation since 2024 [2].
Security researchers tracked two specific intrusion chains from late April 2026 through mid-June 2026 [1]. The malware employs a variety of deceptive techniques, including JPEG steganography and WebDAV, to steal browser-stored passwords, authentication tokens, and PDFs [1, 2].
Attackers use different methods to initiate the infection. Some lures prompt users to paste a command into the Run box and press Enter [2]. Other vectors involve dragging a malicious link into a browser, a process that can lead to token theft in as little as three seconds [3].
Once the system is compromised, the malware targets Microsoft 365 environments to exfiltrate data from Outlook, OneDrive, and SharePoint [1, 2]. The goal of these operations is to harvest credentials and documents for further exploitation of the compromised networks [1].
The Microsoft Security Response Center said customers should be aware that token theft can happen in as little as three seconds after a malicious link is dragged into a browser [3].
“Token theft can happen in as little as three seconds after a malicious link is dragged into a browser.”
The use of 'ClickFix' lures and rapid token theft highlights a shift toward social engineering tactics that bypass multi-factor authentication. By stealing session tokens rather than just passwords, attackers can impersonate users without needing to trigger security alerts, making the compromise of cloud-based enterprise environments like Microsoft 365 more immediate and difficult to detect in real-time.

