We're told to keep our software updated, so a popup urging us to update feels responsible to click. Attackers turned that good habit against us. Here is how fake-update and malicious-download attacks work.
Security advice has drilled one message into all of us: keep your software updated. It's good advice. But it created an opening, because now a popup that says "Your browser is out of date — update now" feels like the responsible thing to click. Attackers noticed that our good habit could be turned into a trap, and fake updates have become a reliable way to get malicious software onto a computer with the victim's full cooperation.
How the trap is set
You're browsing a website — sometimes a legitimate one that's been compromised, sometimes a malicious one you reached through a search result or an ad — and a message appears. It looks official: a browser, Flash, a video player, or a system update is needed to continue. It's urgent and helpful-sounding. You click, a file downloads, you run it to "update," and instead of an update you've just installed malware. It often does install or appear to install something real, so nothing feels wrong until later.
A close cousin is the malicious download more broadly:
- Fake versions of real software. Search for a popular free program and the top result — sometimes a paid ad — leads to a look-alike site offering a poisoned copy.
- Cracked or pirated software. "Free" versions of paid programs are a classic delivery method for malware; the person installing it has already lowered their guard.
- Malicious ads. Even on legitimate sites, ad networks occasionally serve ads that push fake updates or downloads.
- Fake browser extensions or plugins. Add-ons that promise a useful feature and quietly do something else.
For a business, any of these on a work computer can mean stolen passwords, a foothold for ransomware, or an attacker quietly watching.
Why it works
This attack hijacks a habit you were taught to have. Years of "update to stay safe" messaging means an update prompt triggers a sense of duty rather than suspicion. It also exploits uncertainty — most people aren't sure how their software actually updates, so a confident-looking prompt fills the gap. And the urgency ("you can't continue until you update") pushes action before thought, just like every other social-engineering attack.
How to update safely
The fixes are straightforward once you know the rule: real updates don't come from random popups.
- Let software update itself, or update from inside the program. Modern browsers and operating systems update automatically or through their own settings — not through a web popup. If a site tells you to update your browser, close the site; check for updates through the browser's own menu if you're unsure.
- Download only from official sources. Get software from the maker's real website or an official app store. Be wary of search ads and look-alike sites; type the address you know rather than trusting the top result.
- Avoid pirated and cracked software entirely. The savings aren't worth being a malware delivery channel, and on a work machine the stakes are your whole business.
- Be cautious with browser extensions. Install only ones you actually need, from the official store, and review what permissions they ask for.
- Keep automatic updates on. Genuinely staying patched, the automatic way, removes the excuse a fake-update popup relies on.
The mindset for your team: a popup demanding you install or update something is a reason to stop, not to click. Real updates are quiet and come from the software itself.
When a malicious download does run, the damage depends on what that computer can reach across your accounts. Tenant Strike reviews your Microsoft 365 and Azure settings in read-only mode to show where a single infected machine would spread furthest — broad access, missing multi-factor authentication, sign-ins allowed from any device. It's a quick, plain-English check that turns a vague worry into a specific list of what to tighten.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.