Skip to content
Breachfolio
THREAT RESEARCH NEWS

Microsoft warns of surge in ACR Stealer attacks against enterprise customers

3 min read Breachfolio · Editorial desk

Microsoft has recently issued a security alert regarding a significant uptick in ACR Stealer activity targeting enterprise customers. This modular malware is specifically engineered to harvest credentials, browser-stored passwords, authentication tokens, and sensitive documents from compromised endpoints. The campaign represents a persistent threat to organizational security, as it bypasses standard signature-based detection mechanisms frequently deployed by legacy antivirus solutions.

The threat actors behind these campaigns typically gain initial access via phishing or social engineering, subsequently deploying the ACR Stealer payload to extract high-value information. Once established, the malware exfiltrates stolen data to attacker-controlled command-and-control (C2) servers. The reliance on browser-stored data makes this a particularly dangerous threat, as it enables attackers to circumvent multi-factor authentication (MFA) in scenarios where persistent session tokens are successfully harvested.

Context

Stealer malware has evolved significantly in recent years, moving from simple keyloggers to sophisticated, modular frameworks that offer extensive persistence and exfiltration capabilities. ACR Stealer follows this trend by leveraging a multi-stage execution model. It first profiles the host system to determine whether it is a physical machine or a virtualized environment, often attempting to evade sandbox analysis before proceeding to decrypt and extract browser data.

These campaigns often form part of a broader "initial access broker" model, where the stolen credentials are sold on dark web forums or utilized by affiliated threat groups for further lateral movement within a target network. Because these tools are distributed via "malware-as-a-service" platforms, their operational complexity remains low for attackers, allowing for rapid iteration and high-volume deployment across diverse sectors.

Why it matters

The core danger posed by ACR Stealer lies in its ability to compromise session persistence. Many enterprise security models rely heavily on MFA to protect access to cloud-based applications and internal resources. However, when an attacker steals a valid authentication token, they effectively "become" the user, rendering standard MFA prompts moot for the duration of that session.

Furthermore, the extraction of sensitive documents provides attackers with the necessary reconnaissance to launch targeted business email compromise (BEC) attacks or to identify further vulnerabilities within the network. This shift from simple credential harvesting to document exfiltration signals a more aggressive approach to exploitation that IT departments must prioritize immediately.

The bigger picture

This incident reflects the growing trend of information-stealing campaigns that specifically target the "human layer" of the security stack. As organizations move more operations to the cloud, the browser becomes the primary gateway for work. History shows that when threat actors find a reliable method for bypassing MFA through token theft, the frequency of such attacks typically remains high until vendors implement more robust device-bound authentication.

Are you affected

  • You utilize web browsers to access corporate cloud resources.
  • Your organization allows the local storage of credentials or session tokens.
  • You have not implemented strict conditional access policies based on device compliance.
  • Your employees regularly handle sensitive documents that are accessible through web-based portals.

What to do now

To defend against ACR Stealer, you should implement strictly scoped conditional access policies that require continuous verification of device health. Avoid relying solely on persistent session tokens for critical applications and mandate periodic re-authentication.

Ensure that your Endpoint Detection and Response (DR) tools are configured to monitor for anomalous browser processes and unauthorized outbound traffic patterns. Finally, educate your users on the signs of phishing attempts that aim to drop information-stealer payloads, and consider enforcing the use of hardware-based security keys where possible to prevent token-based attacks.

Source

This is our own summary and analysis. The original reporting is at BleepingComputer →

Frequently asked questions

What is ACR Stealer?
ACR Stealer is a modular malware designed to harvest browser-stored credentials, session tokens, and sensitive documents from endpoints.
Can this malware bypass multi-factor authentication?
Yes, by stealing valid authentication tokens, attackers can effectively bypass MFA and hijack active user sessions.
How can I protect my organization?
You should implement strict conditional access policies, require periodic re-authentication, and deploy EDR solutions to monitor for anomalous browser behavior.