Microsoft says ACR Stealer activity rose across customer environments from late April to mid-June, with campaigns using ClickFix lures, WebDAV, MSHTA, obfuscated PowerShell, and even JPEG-hidden payloads. Security teams should treat infections as token and document-exposure events, not just password resets.