Microsoft says it's boosted phishing protection in Windows 11 22H2
Security tool warns admins, users when a password is used on an untrusted site or stored locally
In the latest version of Windows 11, namely 22H2, Microsoft has introduced a feature in its Defender SmartScreen tool designed to, hopefully, keep passwords safer.
The enhanced phishing protection automatically detects when a user types their password into an app or website and knows immediately whether the app or site has a secure connection to a trusted website. If that's not the case, Windows lets users know – both that the site is likely dodgy and that they need to change their passwords – and alerts administrators through Defender for Endpoint.
"Not only are attackers motivated and creative, but their attacks are growing more and more sophisticated," Sinclaire Hamilton, a product manager at Microsoft, wrote in a blog post this week explaining how the above protection works. "Attackers don't break in, they log in."
“That means admins can know exactly when a password has been stolen and be equipped to better protect your organization," adding that Microsoft can also use that information to benefit others, Hamilton said.
"When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack as well."
The enhanced phishing protection feature is among several security capabilities available in Windows 11 version 22H2, which was introduced last week.
Microsoft, along with rivals Apple and Google, is pressing hard for a future without passwords for authentication. Microsoft is embracing stuff like biometrics – including fingerprint and face scans – and device PINs as alternatives, and the three giants in May announced support for standards being put forth by the FIDO Alliance and World Wide Web (W3) consortium.
Those standards could be implemented in early 2023.
Microsoft views passwords as unreliable, in large part because users tend to use the same password for multiple sites. A report by SpyCloud earlier this year found that 64 percent repeat passwords and 70 percent of passwords that have been compromised are still in use.
Still, the software giant wants to make passwords safer until that idyllic future arrives. SmartScreen is a key tool in that effort.
- SQL Server admins warned about Fargo ransomware
- A match made in heaven: systemd comes to Windows Subsystem for Linux
- Mozilla drags Microsoft, Google, Apple for obliterating any form of browser choice
- Microsoft highlights 'productivity paranoia' in remote work research
"SmartScreen identifies and protects against corporate password entry on reported phishing sites or apps connecting to phishing sites, password reuse on any app or site, and passwords typed into Notepad, Wordpad, or Microsoft 365 apps," Hamilton wrote.
Administrators can configure the various warning scenarios through Group Policy or a mobile device management (MDM) product. If they are using MDM, the feature by default is set in audit mode, which lets the admin analyze the unsafe use of a password via the Defender for Endpoint portal without warning the users.
"When notifications are turned on, SmartScreen displays a blocking dialog warning prompting users to change their password if they type their password into a phishing site in any Chromium browser or into an application connecting to a phishing site," Hamilton wrote. "When the user selects 'Change my password,' the Windows Settings application pops up to the area where the user can change their device password."
Without these capabilities, users may not know that they've entered their passwords onto a phishing site, opening themselves and their companies up to attacks. SmartScreen was designed as a "last mile protection" to enable users to recognize unsafe content, she wrote.
Microsoft also hopes SmartScreen will encourage better password behavior by users. They'll see warnings if they try to use their Microsoft account, Azure AD, Active Directory, or local password on any other site or application or if they try to store their password locally, such as in Notepad or a Microsoft 365 app. ®