Fraudulent Windows Defender Updates

Threat actors are using browser push notifications to convince users into installing fraudulent Windows Defender updates. A popup will appear in the tray to notify the user of the update. If clicked, the user will be directed to a fraudulent update website that prompts users to download and run a signed ms-appinstaller (MSIX) package purporting to be published by Microsoft. Once installed, it appears in the Start Menu but serves as a shortcut to an installed data-stealing Trojan that targets various applications and information.

Fraudulent Windows Defender Alert
Image Source: McAfee, Fake Defender Alert



Updates for any Microsoft product should only be installed through Microsoft Windows Updates built into Windows. Typically, Windows will install updates automatically notifying the user after the update is complete. advises users to navigate directly to official websites by manually typing the URL into the browser instead of clicking on links from unverified sources. Lastly, ensure that you are running Anti-virus that is set to auto-update its virus definitions. Threats like this should be spotted by most modern, up-to-date antivirus products.