Microsoft has rolled out ‘Enhanced Phishing Protection’ in Windows 11, version 22H2, which automatically detects when you type a password into an unsafe app or site and then reports it to admins via Microsoft Defender for Endpoint.
The feature is based on Microsoft’s SmartScreen technology and caters to both consumers and enterprise users on the new Windows 11 2022 Update.
If the user types their credentials on an untrustworthy site or app, Windows alerts the user as well as admins who get a record of when and where the password was used.
“When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack as well,” explains Microsoft’s Sinclaire Hamilton.
The SmartScreen feature works for consumer Microsoft Accounts, as well as accounts managed through Active Directory, Azure Active Directory, and local passwords.
It immediately lets users know they need to change their password and automatically reports the unsafe password usage to IT through the Microsoft Defender for Endpoint portal.
The phishing problem will persist as long passwords are used to log in to apps, sites and domains. As Hamilton notes: “Attackers don’t break in, they log in.”
Bill Gates in 2004 wrongly predicted we’d be using passwords less and less in the future. Instead, people needed more and more with each new online service. Today, Microsoft, Apple, Google and others are supporting OAuth and FIDO2 standards to make it easier to go passwordless and enable two-factor authentication. With Windows 11 22H2, Microsoft has focussed on security defaults that help prevent attacks, such as the Smart App Control allow-list. It’s also testing a default Windows 11 SMB rate limiter to drastically slow down password attacks.
“SmartScreen identifies and protects against corporate password entry on reported phishing sites or apps connecting to phishing sites, password reuse on any app or site, and passwords typed into Notepad, Wordpad, or Microsoft 365 apps,” notes Hamilton.
IT admins can use Group Policy or an MDM solution to configure the scenarios where users would see warnings. If admins are using MDM, the feature is by default in audit mode, which lets admins see unsafe password usage in their environment in the Defender for Endpoint portal without warning users.
End users will now see a pop-up warning after typing a password into an unsafe place that says: “This app made an unsafe connection that was reported to Microsoft for stealing passwords.”
The pop-up includes an option to “change my password”, which opens the Windows Settings app to the section where users can change their device password.
Additionally, Windows now also warns users who reuse passwords on other sites from their Microsoft account, Azure AD, Active Directory, or local password, to use a strong, unique password instead. If detected, the dialog prompts users to change their corporate password to prevent reuse on a non-corporate site.
Hamilton notes that Enhanced Phishing Protection is available to all consumers and enterprises using Windows 11 22H2 regardless of license tier.
But to see Enhanced Phishing Protection alerts in the M365 Defender security portal, commercial customers must have a license that provides Microsoft 365 Defender security portal access, such as the E5 license.