Protect passwords with enhanced phishing protection

Phishing is a huge problem

Did you know cybercrime is expected to cost the world $10.5 trillion annually by 2025, up from $6 trillion in 2021?^[1] Across Windows, Azure, Microsoft 365, and Microsoft Defender for Office, we saw over 35.7 billion phishing attempts and over 25.6 billion attempts to attack our customers by brute-forcing with stolen passwords. Not only are attackers motivated and creative, but their attacks are growing more and more sophisticated.

Attackers don't break in, they log in. Because of this, our SmartScreen team has been developing a way to keep passwords safer. We're excited for you to protect your organization with enhanced phishing protection in Microsoft Defender SmartScreen in Windows 11, version 22H2 while you're on your journey to a fully passwordless future. This post will help you learn about how enhanced phishing protection keeps your user's passwords safe, how you can manage this feature, and how you can view phishing protection alerts in the Microsoft Defender for Endpoint security portal.

Enhanced phishing protection: now available!

Enhanced phishing protection is baked into the Windows 11 operating system and automatically detects when users type their password into any app or site. Windows understands in real-time whether that app or website has a secure connection to a trusted website; if not, Windows will let users know if they're in danger. That means admins can know exactly when a password has been stolen and be equipped to better protect your organization. When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack as well.

How does enhanced phishing protection work?

Behind the scenes, Windows analyzes where password entry occurs. When SmartScreen sees the right signals indicating unsafe usage of the password typed to sign into the Windows device, it jumps into action – whether you use a Microsoft Account, Active Directory, Azure Active Directory, or local passwordSmartScreen does two things. First, it lets users know right in the moment that they need to change their password to reduce potential compromise to organizational resources. Secondly, it automatically reports the unsafe password usage to IT through the MDE portal so the incident can be tracked.

SmartScreen identifies and protects against corporate password entry on reported phishing sites or apps connecting to phishing sites, password reuse on any app or site, and passwords typed into Notepad, Wordpad, or Microsoft 365 apps. IT admins can configure for which scenarios end users see warnings through CSP/MDM or Group Policy. The feature is in audit mode by default if you manage the settings using MDM. Audit mode allows admins to analyze unsafe password usage in their environment through the Defender for Endpoint portal without warning users.

The user experience

When notifications are turned on, SmartScreen displays a blocking dialog warning prompting users to change their password if they type their password into a phishing site in any Chromium browser or into an application connecting to a phishing site.

Pop-up Windows Security window stating, This app made an unsafe connection that was reported to Microsoft for stealing passwords.

When the user selects "Change my password," the Windows Settings application pops up to the area where the user can change their device password.

Windows Settings page showing account sign-in options. Password is selected.

Without this feature, users may unknowingly give their credentials to attackers on a phishing site. We designed SmartScreen as a last mile protection to help users recognize unsafe content – no matter how convincingly safe it seems.

Additionally, SmartScreen can promote better user password behavior. If users try to reuse their Microsoft account, Azure AD, Active Directory, or local password (whichever is used to sign into the Windows device) on any site or application, like on social media, they'll see a warning to use strong, unique passwords to keep their information safe. The dialog prompts users to change their corporate password to prevent reuse on a non-corporate site.

Windows Security pop-up notification informing the user that password reuse is a security risk

If users try to store their password locally, like in Notepad or in any Microsoft 365 app, Windows 11 warns them that this is an unsafe practice and encourages them to delete it from the file.

Windows Security pop-up notifying the user that it's unsafe to store their password in this app

How to deploy phishing protection to users

From an IT perspective, you can customize which notifications appear to your end users through Intune policies. To access the SmartScreen settings in the Settings Catalog, follow the steps below:

1. In the Microsoft Endpoint Manager admin center, navigate to Devices.
2. Under Policy, select Configuration Profiles.
3. Select Create profile and choose Windows 10 and later as the platform.
4. Choose Settings catalog as the Profile type.
5. Fill out the details you'd like under Basics. Under Configuration settings, select + Add settings.
6. Find the 4 feature settings under Smart Screen, in the drop down for Enhanced Phishing Protection, and select all (Notify Malicious, Notify Password Reuse, Notify Unsafe App, and Service Enabled).

For details about each policy see Policy CSP - WebThreatDefense. We recommend that you enable all four settings, as doing so will alert your users for all protection scenarios. If you prefer to leave the protection in audit mode so you can view Defender for Endpoint alerts of unsafe password usage without warning your users, ensure that only the Service Enabled policy is enabled.

Screenshot from the Endpoint Manager admin center showing how to enable the four enhanced phishing protection settings in the Settings picker

The above policies can also be rolled out using Group Policy:

Screenshot showing how to enable enhanced phishing protection through Group Policy via the Local Group Policy Editor

See phishing alerts in the Defender for Endpoint portal

SmartScreen natively integrates with the MDE portal if your organization has an MDE license. To view alerts from SmartScreen, ensure the Service Enabled setting is turned on and follow these steps:

1. In the Defender for Endpoint admin center, navigate to Alerts, under Incidents & Alerts.
2. Search for "Enhanced Phishing Protection" so you can see alerts generated by the feature.
   
   Screenshot from Microsoft 365 Defender showing a sample alert for a user who connected to a suspicious domain
   
   Screenshot from Microsoft 365 Defender showing recommended actions to address the user who connected to a suspicious domain

Turn on enhanced phishing protection for your organization today!

Ultimately, SmartScreen detects and protects Windows 11 devices from modern attacks on corporate credentials as they occur. By prompting users to change their password, SmartScreen minimizes the chances of a weaponized credential being used against your organization.

Upgrade to Windows 11, version 22H2 and turn on the feature to start using it today. If you have any feedback or suggestions, you can share them with us in the Feedback Hub. Open the Feedback Hub app from the Start menu (or just press Windows Key + F) and when you get to the part where it asks what category your feedback is for select Security and Privacy > Microsoft Defender SmartScreen.

Resources

Interested in learning more? Read the product documentation about Enhanced Phishing Protection with Microsoft Defender SmartScreen:

• Enhanced Phishing Protection in Microsoft Defender SmartScreen
• Policy CSP - WebThreatDefense
• Protect your Microsoft password from being phished
• Microsoft Defender SmartScreen overview
• Microsoft Defender SmartScreen: frequently asked questions

^[1] Source: Cybersecurityventures.com