What Happened
Microsoft’s Defender Experts team published an analysis on July 16, 2026 documenting a significant rise in ACR Stealer campaigns from late April through mid-June. Attackers are using ClickFix — the social engineering technique that prompts users to paste a PowerShell command into a Run dialog — to deliver the infostealer via two distinct intrusion chains. One chain leaves artifacts on disk; the other operates almost entirely in memory, reducing its visibility to endpoint detection tools.
ACR Stealer, also sold as Amatera Stealer since a mid-2025 rebrand at prices ranging from $199 per month to $1,499 per year, targets saved browser passwords, active session tokens, PDFs, Microsoft 365 documents, and files stored in enterprise-synchronized directories such as OneDrive for Business and SharePoint. The malware enumerates synced directories automatically, meaning any documents replicated to a user’s device from organizational storage are at risk. Source: Microsoft Security Blog
Why This Matters for Canadian Organizations
ClickFix has emerged as one of the dominant social engineering delivery methods in 2026 because it bypasses browser-based download protections and email attachment scanning entirely — the payload arrives as a command the user types themselves. Canadian organizations relying on Microsoft 365 Defender or endpoint protection to catch malicious downloads face a detection gap when the entry point is a legitimate Windows Run dialog.
The specific targeting of OneDrive and SharePoint sync directories is significant for Canadian enterprise and government users. Many organizations running Microsoft 365 enable automatic sync of SharePoint document libraries to employee desktops, which means a single infected workstation can expose files from shared drives, compliance documents, or internal communications to theft. For organizations subject to PIPEDA, this constitutes a breach of personal information if those directories contain client data, personnel files, or health records. OSFI B-13 requires financial institutions to protect information assets across their operating environment; credential theft from a single employee’s synchronized OneDrive represents a failure point under that obligation. The memory-resident delivery chain makes this particularly difficult to detect post-infection without behavioral detection capabilities or memory forensics.
What to Do
Train employees to recognize ClickFix lures — these are pages or pop-ups claiming a browser error or verification step requires the user to copy and paste a command. No legitimate service asks you to paste commands into a Run dialog. Audit Microsoft 365 OneDrive sync policies and restrict which SharePoint libraries auto-sync to employee devices, prioritizing limiting sync of high-sensitivity document libraries. Enable attack surface reduction rules in Microsoft Defender for Endpoint, specifically those targeting script-based execution from suspicious processes. Review session token invalidation procedures: ACR Stealer steals live tokens, so a credential password reset alone is insufficient — active sessions must be revoked. Organizations with SIEM coverage should write detection rules for PowerShell invocation patterns associated with ClickFix delivery and for anomalous file enumeration of synced directories.






