Image: Bram Van Oost (unsplash)
Microsoft is significantly advancing its Windows 11 Enhanced Phishing Protection by trialing a novel feature that alerts users when they copy and paste their Windows credentials into web portals and documents.
In conjunction with the launch of Windows 11 22H2, Microsoft rolled out a novel security component named Enhanced Phishing protection. This tool is purpose-built to safeguard your Windows and Active Directory domain credentials from being seized by malicious entities.
A predominant method that malicious entities employ to breach websites or corporate infrastructures is procuring or illicitly acquiring corporate credentials. The initial source of these credentials is often phishing campaigns or information-extracting malware.
These compromised credentials can then be used by the adversaries to infiltrate other accounts utilized by the Windows user, including email, banking, and cryptocurrency trading accounts. Even more concerning is that these stolen accounts can be exploited to access corporate networks, thereby providing hackers the ability to laterally propagate through a network to orchestrate BEC scams, data theft, supply chain attacks, and ransomware offensives.
The volume of stolen credentials represents a colossal and ubiquitous issue, with digital crime marketplaces vending billions of credentials and authentication cookies and more specialized platforms selling in excess of a million remote desktop credentials.
Owing to this rampant abuse, law enforcement agencies have been proactively targeting these marketplaces of stolen credentials, culminating in successful operations such as the seizure of the WT1SHOP in 2022 and the more recent dismantling of the Genesis Market.
Windows 11’s Enhanced Phishing Protection
When Microsoft initially launched the new Windows Enhanced Phishing protection, it only sent out warnings to users who manually input their Windows credentials into a document or a web login page.
However, it’s widely suggested that users deploy password managers to generate robust and distinct passwords for their various logins, and as a result, many individuals copy and paste their passwords from their password manager into their login prompts.
Since the feature did not previously shield against the copy and paste method, this would circumvent the Windows security component.
Along with the introduction of Windows 11 Insider Dev build 23506, Microsoft has augmented its phishing protection feature by now identifying when a user copies and pastes their Windows password.
A statement in the Dev build release notes conveys that starting with this build, those who have enabled warning options for Windows Security under App & browser control > Reputation-based protection > Phishing protection will witness a UI warning on insecure password copy and paste, much like they currently experience when they input their password.
As this feature is not activated by default, Windows users should activate it by navigating to Windows Security > App & browser control > Reputation-based protection > Phishing protection and ticking all three options.
Once turned on, this component will alert users when they enter or copy and paste their Windows login credentials into website forms or documents.
This warning will bear the title “Password reuse is a security risk,” and will prompt users to change their Windows account password, providing a link to a support document.
The Windows phishing protection alert elaborates, “If your password is stolen from this site, attackers will attempt to exploit it on other sites too. Utilize strong, unique passwords to preserve your personal information.”
Furthermore, it encourages, “Microsoft advises modifying your local Windows account password.”
Our previous tests of the Windows Enhanced Phishing Protection revealed some limitations with certain applications, like Firefox and Excel. But the current tests show that these issues have been addressed, resulting in a more robust feature.
However, it does not function with certain third-party applications frequently used for password storage, such as Notepad2, Notepad++, and likely several others.
Microsoft has additionally introduced a new “Warn others about suspicious apps and sites” phishing protection setting, but there is a lack of information about this new setting and the meaning of ‘others.’
Microsoft has yet to provide answers to our questions regarding this new setting.
Lastly, it should be underscored that the Windows 11 Phishing protection feature does not function if you employ Windows Hello, like PIN or biometrics, to log in to Windows.
For this feature to function, Windows users need to log in using a password so it is cached in memory and can be compared to inputted text (typed or copied and pasted).
Given the powerful potential of this feature to safeguard corporate credentials, providing immediate alerts to admins when a user reuses their Windows password, it may be worth forgoing the convenience of Windows Hello for enhanced security.
All Windows users are advised to enable this security feature in Windows Security, even if it currently does not extend its support to all applications.