🟠 High | Source: The Hacker News
ACR Stealer is an infostealer that tricks users into running malicious commands via ClickFix social engineering lures, harvesting saved browser credentials, live session tokens, and Microsoft 365 documents including files synced via OneDrive and SharePoint. Once a user pastes and executes the delivered command, the malware silently exfiltrates sensitive data without requiring any elevated privileges. This is particularly dangerous in enterprise environments where browser-stored credentials and active sessions provide direct access to cloud resources.
Security Architect’s Take: Enforce application control policies (e.g. via Microsoft Defender Application Control or AppLocker) to block arbitrary command execution from the Run dialogue, and deploy Conditional Access policies with token binding and continuous access evaluation in Entra ID to limit the utility of stolen session tokens.
Original advisory: ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files