This blog article covers the new Windows 11 22H2 security feature Enhanced Phishing Protection in Microsoft Defender SmartScreen and gives first impressions.
- What is Enhanced Phishing Protection?
- How does Enhanced Phishing Protection work?
- How do I activate and configure Enhanced Phishing Protection?
- What are the first impressions?
- Sources and additional links
What is Enhanced Phishing Protection?
Enhanced Phishing Protection is a new Windows 11 security feature in Microsoft Defender SmartScreen that was rolled out with the latest September 2022 Feature Update (22H2) and helps protect account passwords against phishing and unsafe usage on sites and apps.
Enhanced Phishing Protection offers a total of 3 security features:
|Phishing Protection Security Features||Scope||Description|
|Warn me about malicious apps and sites||Chromium-based browsers (Google Chrome, Microsoft Edge, Vivaldi, etc.)||If Microsoft Defender SmartScreen classifies a website as malicious and a user still tries to log in with the same credentials already logged in, an additional warning is issued by the Phishing Protection, and the user is prompted to change the password.|
|Warn me about password reuse||Chromium-based browsers (Google Chrome, Microsoft Edge, Vivaldi, etc.)||If the same password as the logged-in Windows account is used on any website, a warning is displayed, and the user is prompted to change the password.|
|Warn me about unsafe password storage||Notepad, Word, Excel, or any Microsoft 365 Office app||If the same password as for the logged-in Windows account is typed in an application such as Notepad or Excel, a warning is triggered.|
In addition, triggered warnings are sent as medium alerts to Microsoft Defender for Endpoint (MDE) if the devices have already been onboarded and a corresponding license is available for Microsoft Defender for Endpoint (MDE).
The most 5 important things first:
- Enhanced Phishing Protection works only when a user logs in using his Windows Password. If Windows Hello (Facial recognition, Fingerprint, PIN) or a security key (FIDO2) is used, the feature will not work.
- Currently only Chromium-based browsers are supported. So, the feature does not support Mozilla Firefox.
- The feature reacts only when the password is typed. If a password is copied e.g., from an already created file or a password manager, then no warning is triggered.
- The feature works to protect local, Microsoft, Active Directory, and Azure Active Directory accounts.
- Enhanced Phishing Protection is available to all consumers and enterprises using Windows 11 22H2 no matter the license level. In order to use the advanced phishing protection alerts in Microsoft 365 Defender for Endpoint (MDE), customers must have a corresponding Microsoft Defender for Endpoint (MDE) license.
How does Enhanced Phishing Protection work?
The last successfully used Windows login password has always been stored encrypted by Microsoft. Exactly this local password storage is used to perform the verification and matching.
How do I activate and configure Enhanced Phishing Protection?
By default, Enhanced Phishing Protection is already enabled on Windows 11 22H2 and the “Warn me about malicious apps and sites” feature is also already active. “Warn me about password reuse” and “Warn me about unsafe password storage” are not active by default.
You can find the settings for Enhanced Phishing Protection in the “App & browser control” panel under “Reputation-based protection” of the Windows Security app or you can simply enter “Reputation-based protection” in the windows search.
Settings – Privacy & security – Windows Security – App & browser control – Reputation-based protection – Phishing protection.
Enhanced Phishing Protection settings can be controlled most easily with Microsoft Intune via a Settings catalog policy: Configuration profiles – Create profile – Windows 10 and later – Settings catalog – SmartScreen > Enhanced Phishing Protection
Further deployment options, e.g., via GPO or CSP, can be found on the official Microsoft site: https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen?tabs=intune#configure-enhanced-phishing-protection-for-your-organization
What are the first impressions?
Currently, Enhanced Phishing Protection is only interesting for users and customers who actually do not yet use Windows Hello or Security Keys and still log in with Windows Password, since Windows Hello and Security Keys are not yet supported. Of course, it can happen that a user may log in with the Windows password, if for special reasons logging in with Windows Hello or Security Keys is not possible. Unless, of course, you have deactivated the “Password” login method. In addition, no warning is triggered when a password is copied from a password manager or an existing file. The warning is only raised when a password is typed. It is also important that a Chromium-based browser strategy is driven, since an often-used browser like Mozilla Firefox is not yet supported. What is also missing is the possibility to define possible exclusions for Single-Sign-On (SSO) scenarios.
Below I have tested all 3 security features of Enhanced Phishing Protection and captured the user experience. I usually always use Windows Hello for the Windows login. To be able to test the features, I had to log in via Windows Password.
Warn me about malicious apps and sites
The “Warn me about malicious apps and sites” feature could be successfully tested via a website identified by Microsoft Defender SmartScreen as potentially dangerous. I simply entered my windows password in the password mask without entering the username and without confirming.
Warn me about password reuse
The “Warn me about password reuse” feature could be tested successfully by entering my windows password in the Twitter login screen.
Warn me about unsafe password storage
The “Warn me about unsafe password storage” feature could be tested successfully by entering my windows password in Notepad.
Phishing alerts in the Defender for Endpoint (MDE) portal
The phishing alerts function did not work during my first tests. Although I had triggered multiple notifications on several Windows 11 22H2 test clients, the alerts never landed in the Windows Defender for Endpoint (MDE) portal for me. All clients are MDE onboarded and I see other alerts which do not come from Microsoft Defender SmartScreen. Test alerts such as [Test Alert] Suspicious Powershell commandline are displayed to me on the affected test clients. I first suspected a licensing issue, but it doesn’t work with a full Microsoft 365 E5 license either. If you have other experiences or an idea what it could be, let me know.
Now I would be interested in your experience with Enhanced Phishing Protection? Feel free to ask me questions or share your personal experiences in the comments.
Sources and additional links
Protect passwords with enhanced phishing protection:
Enhanced Phishing Protection in Microsoft Defender SmartScreen:
Microsoft Technical Takeoff – Securing corporate credentials with Enhanced Phishing Protection: