In the latest version of Windows 11, Microsoft is introducing a feature in its Microsoft Defender SmartScreen tool designed to keep passwords safer.
The enhanced phishing protection automatically detects when a user types their password into an app or website and knows immediately whether the app or site has a secure connection to a trusted website.
If the site is untrusted, Windows lets users know – both that the site is untrusted and that they need to change their passwords – and alerts administrators through Defender for Endpoint.
Threat groups continue to run phishing campaigns to steal credentials, with cybersecurity researchers at Zscaler noting a 29 percent year-to-year increase in such attacks in 2021, the rise of phishing-as-a-service, and the extension of such attacks into SMS and other avenues.
Microsoft – among the top five most targeted brands, according to Zscaler – found that across Windows, Azure, Microsoft 365, and Microsoft Defender for Office, there were more than 35.7 billion phishing attempts and more than 25.6 billion attempts to brute-force into accounts using stolen passwords.
“Not only are attackers motivated and creative, but their attacks are growing more and more sophisticated,” Sinclaire Hamilton, a product manager at Microsoft, wrote in a blog post. “Attackers don’t break in, they log in.”
“That means admins can know exactly when a password has been stolen and be equipped to better protect your organization,” adding that Microsoft can also use that information to benefit others, Hamilton adds.
“When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack as well.”
The enhanced phishing protection feature is among several security capabilities available in Windows 11 version 22H2, which was introduced last week.
Microsoft, along with rivals Apple and Google, is pressing hard for a future without passwords for authentication. Microsoft is embracing tools like biometrics – including fingerprint and face scans – and device PINs as alternatives and the three companies in May announced support for standards being put forth by the FIDO Alliance and World Wide Web (W3) consortium.
Those standards could be implemented in early 2023.
Microsoft views passwords as unreliable, in large part because users tend to use the same password for multiple sites. A report by SpyCloud earlier this year found that 64 percent repeat passwords and 70 percent of passwords that have been compromised are still in use.
Still, the software giant wants to make passwords safer until that idyllic future arrives. SmartScreen is a key tool in that effort.
“SmartScreen identifies and protects against corporate password entry on reported phishing sites or apps connecting to phishing sites, password reuse on any app or site, and passwords typed into Notepad, Wordpad, or Microsoft 365 apps,” Hamilton wrote.
Administrators can configure the various warning scenarios through Group Policy or a mobile device management (MDM) product. If they are using MDM, the feature by default is set in audit mode, which lets the admin analyze the unsafe use of a password via the Defender for Endpoint portal without warning the users.
“When notifications are turned on, SmartScreen displays a blocking dialog warning prompting users to change their password if they type their password into a phishing site in any Chromium browser or into an application connecting to a phishing site,” Hamilton wrote. “When the user selects ‘Change my password,’ the Windows Settings application pops up to the area where the user can change their device password.”
Without these capabilities, users won’t know that they’ve entered their passwords onto a phishing site, opening themselves and their companies up to attacks. SmartScreen was designed as a “last mile protection” to enable users to recognize unsafe content, she wrote.
Microsoft also hopes SmartScreen will encourage better password behavior by users. They’ll see warnings if they try to use their Microsoft account, Azure AD, Active Directory, or local password on any other site or application or if they try to store their password locally, such as in Notepad or a Microsoft 365 app. ®