ACR Stealer uses ClickFix lures to steal browser passwords, session tokens, and Microsoft 365 files. Learn how this infostealer enters networks and how to protect your data.
Imagine this: an employee gets a message that looks harmless, pastes a quick command into the Run box, and hits Enter. That single action just handed over your company's saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and everything sitting in OneDrive and SharePoint to a cybercriminal. That's the reality of ACR Stealer, an infostealer that's been quietly walking out of enterprise networks since 2024.
This isn't a complex hack involving zero-day exploits or brute-force attacks. It's disturbingly simple, and Microsoft's Defender Experts team recently detailed two of the delivery chains behind it. For anyone worried about browser security or the safety of their Microsoft 365 files, this is a wake-up call.
### How ACR Stealer Gets Inside
The primary infection method is a technique called ClickFix. It relies on social engineering, not technical wizardry. The attacker tricks the user into thinking they need to run a command to fix a problem. Common lures include fake error messages, urgent security alerts, or even fake CAPTCHA prompts that say something like "Press Windows Key + R, then paste this to verify you're human."
Once the user pastes the command and presses Enter, the malware executes. No file download, no suspicious attachment. Just a few keystrokes, and your network is compromised. This makes traditional antivirus tools nearly useless because the malicious payload is delivered directly through the operating system's own tools.
### What ACR Stealer Targets
Once inside, ACR Stealer doesn't waste time. It goes straight for high-value data that can be sold on dark web marketplaces or used for identity theft and corporate espionage. Here's what it typically grabs:
- Saved browser passwords from Chrome, Edge, Firefox, and other major browsers
- Active session tokens that let attackers bypass multi-factor authentication
- PDF files and Microsoft 365 documents (Word, Excel, PowerPoint)
- Files synced from OneDrive and SharePoint folders
- Browser cookies and autofill data
Session tokens are particularly dangerous. They allow an attacker to log into your accounts without needing a password or a second factor. Even if you have MFA enabled, a stolen token can render it useless.
### Why Enterprises Are Especially Vulnerable
Large organizations are prime targets because they have more data to steal. Microsoft 365 environments are rich with sensitive documents, financial records, and intellectual property. OneDrive and SharePoint sync often means files are stored locally, making them easy pickings for an infostealer.
But the real vulnerability is human. Employees are conditioned to follow instructions from IT. When a pop-up says "Run this command to fix your connection," many will do it without thinking. The pressure to stay productive overrides caution.
### How to Protect Your Network
Defending against ACR Stealer requires a layered approach that addresses both technology and human behavior. Here are practical steps:
**Block dangerous commands at the source.** Use Group Policy or endpoint detection tools to prevent common PowerShell and CMD commands from running in the Run box. This stops many ClickFix attacks cold.
**Train employees to recognize social engineering.** Run regular phishing simulations that include fake error messages and CAPTCHA prompts. Teach your team that legitimate IT support will never ask them to paste commands.
**Limit local admin rights.** Most users don't need full admin access. Restricting permissions can prevent malware from installing or accessing sensitive folders.
**Enable browser token protection.** Modern browsers and security tools can flag unusual token usage. Consider using an antidetect browser for sensitive tasks to isolate sessions and prevent token theft from spreading.
**Monitor for suspicious OneDrive and SharePoint activity.** Sudden bulk downloads or unusual file access patterns can indicate a stealer at work.
### The Bottom Line
ACR Stealer proves that sophisticated cyberattacks don't need fancy tools. A simple paste and press of Enter can undo months of security investments. The best defense is a combination of technical controls and a workforce that knows how to spot a trap.
For professionals managing browser security and enterprise data, this threat underscores the value of using tools like antidetect browsers to compartmentalize sessions and protect tokens. Stay vigilant, and never assume that a simple command is harmless.