The Fake 'Fix It' Prompt Stealing Microsoft 365 Data
One Pasted Command
The most instructive attack of the week did not exploit a single flaw. It talked a person into doing the work. On July 17, The Hacker News reported that an infostealer called ACR Stealer — a piece of malware “in circulation since 2024” — is quietly leaving corporate networks carrying saved browser passwords, live session tokens, and Microsoft 365 documents synced from OneDrive and SharePoint. The blunt summary of how it gets in: someone pasted a command into a Run box and pressed Enter.
That entry method is the now-familiar ClickFix technique. A booby-trapped ad or a poisoned search result shows a fake CAPTCHA or a convincing “error” and tells the visitor to “verify” or “fix” it by copying text and pasting it into the Windows Run dialog. The pasted command quietly pulls a malicious file from a remote server — in one observed version, hidden inside an ordinary-looking image. No vulnerability is exploited; the attack succeeds by persuading a person, not by breaking software. The Hacker News has also tracked how far ClickFix has spread across fake CAPTCHAs and trusted web services.
Can an Infostealer Get Around MFA to Reach Microsoft 365?
Often, yes — and that is the part worth sitting with. Microsoft’s Defender Experts team watched ACR Stealer activity climb across customer environments from late April to mid-June, describing the campaigns as “successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents.” That middle item — authentication tokens — is why multi-factor authentication is necessary but not the whole story.
A stolen password is a key someone still has to turn. A stolen session token is a door already standing open.
When the malware lifts your live session tokens and cookies, it is not stealing the password you type; it is stealing proof that you already logged in. Because that session already cleared the login — including any MFA prompt — an attacker who replays the token can often resume where the user left off without authenticating again. That is why the reporting stresses a blunt point: on this kind of compromise, revoke the tokens, don’t just rotate the password. A reset on its own may not end every stolen session.
Why This Matters for a Small Practice
It is tempting to file “infostealer” under enterprise problems. It is not. Most small medical and dental practices run on Microsoft 365 or Google Workspace, and the files that sync to a front-desk laptop’s OneDrive or SharePoint — referral PDFs, scanned intake forms, billing correspondence, an exported schedule — often contain electronic protected health information (ePHI). The same folder that makes collaboration easy is the folder this malware copies. And the person most likely to meet the lure is not your most careless employee; it is your busiest one, mid-task, who sees an official-looking “click here to continue” and trusts it.
This is the gap Byzantine Technologies was built around. As founder Edward Stratton puts it, “the greatest vulnerability in our digital world isn’t a flaw in the code; it’s the gap between people.” Multi-factor authentication meaningfully cuts your account-takeover risk, so turn it on where it matters and keep it on. But MFA guards the moment of login. It does not un-steal a token that was lifted after a legitimate login, which is why this class of attack rewards a different set of habits.
Where to Start
Most of this risk yields to a few plain habits and the right basics, practiced as a team.
- Make one rule non-negotiable: nobody pastes a command they did not write into the Run box, PowerShell, or a terminal — ever. A legitimate website never needs you to do that. That single reflex, reinforced the way effective security awareness is, breaks the specific paste-and-run chain these attacks depend on.
- Back that habit with real endpoint protection, not just legacy antivirus. Behavior-based endpoint detection and response is more likely to catch the file this attack quietly loads than signature-only tools.
- If a machine is even suspected of compromise, isolate it first, then revoke sessions — don’t just reset the password. Disconnect the device from the network, then in Microsoft 365 or Google Workspace sign the user out of all sessions and revoke tokens before resetting credentials, and treat it as a potential incident.
Byzantine takeaway: The attackers here did not pick a lock; they handed someone a key and asked them to turn it. The defense is human: teach your team that “paste this to continue” is the whole trap, back them with endpoint protection that watches behavior, and know how to revoke a stolen session rather than just reset a password. Cybersecurity is a team effort, and this one an office and its IT partner can practice together.