Reports have been circulating that Microsoft Defender is suddenly blocking Microsoft Activation Scripts (MAS), a well-known community tool used to activate Windows and Office. Screenshots shared by users show Defender flagging it with the detection name “Trojan:PowerShell/FakeMas.DA!MTB,” which—at first glance—makes it look like Microsoft’s security suite is incorrectly labeling the original open-source script as malware.
That initial narrative is easy to believe. MAS isn’t an official Microsoft product, it’s widely discussed online, and it has long attracted imitation copies made to spread malware. So when people saw “FakeMas” in the warning, many assumed Defender had started intentionally targeting the real tool, triggering accusations of a deliberate clampdown rather than a genuine security detection.
But when the situation is tested more carefully, the story looks less like a Microsoft Defender “fail” and more like a potential network-level problem affecting certain users. With the latest Defender updates (as of January 9, 2026), tests on multiple laptops could not reproduce the warning. The commonly used command:
irm https://get.activated.win | iex
ran without Defender raising an alert. Even when checking slightly older Defender versions using recent VM backups from the last few days, the script still passed without any detection.
That matters because Defender’s warning message doesn’t simply claim “MAS is dangerous.” It claims the user may be dealing with a FakeMas variant. If some people receive a “fake” version while others receive the legitimate one, the most likely difference isn’t Defender itself—it’s what content those users are actually receiving when they try to access the MAS download/launcher address.
A plausible explanation is DNS tampering or DNS-related issues (including DNS spoofing). In plain terms: if a user’s DNS resolution has been altered—whether by a misconfigured ISP DNS server, a local network problem, or an active attack—then typing the correct domain could silently route them to the wrong server. Instead of retrieving the legitimate script, they could be served a malicious copy designed to look similar. In that scenario, Microsoft Defender isn’t producing a false positive at all—it’s blocking a real threat at the last possible moment.
This theory also lines up with how these reports appear to cluster by region. If the problem were caused by a global Defender rule change targeting MAS itself, the reports would likely be widespread and consistent. Regional spikes point more toward ISP-specific DNS behavior, local redirection, or targeted manipulation affecting specific networks.
One important takeaway: advice telling users to disable Microsoft Defender to “get MAS working again” is risky. If a user is being redirected to a malicious FakeMas script, turning off protection removes the very safeguard that may be preventing a Trojan infection.
Instead, affected users should check DNS settings and consider testing with a known, reputable DNS resolver. One approach is to force DNS-over-HTTPS for the retrieval step using Cloudflare’s DNS endpoint. The following command has been suggested as a way to bypass potentially compromised DNS resolution:
iex (curl.exe -s –doh-url https://1.1.1.1/dns-query https://get.activated.win | Out-String)
If using that method makes the warning disappear and the script behaves normally, it strongly suggests the issue wasn’t Microsoft Defender “randomly blocking MAS,” but rather a DNS path that was delivering the wrong (and likely malicious) content.
In short, the “Microsoft Defender blocks MAS” reports may be less about Microsoft cracking down or making a mistake—and more about Defender doing its job when users are unknowingly routed to a FakeMas copy. If you’re seeing the “Trojan:PowerShell/FakeMas” detection, the safest next step isn’t to disable security—it’s to verify your DNS, your network, and the integrity of what you’re downloading.
