Windows 11 22H2, released last week, introduced a new security feature called “Enhanced Phishing Protection” that warns users if they enter their Windows password in insecure apps (such as Notepad) or websites.
The fact is that Windows login credentials are especially valuable for attackers, as they often allow access to internal corporate networks, which is then used to steal data and deploy ransomware. Typically, passwords are stolen during phishing attacks or because users store credentials in insecure applications such as regular documents, spreadsheets, and so on.To prevent this behavior, Microsoft introduced the “Enhanced Anti-Phishing” feature.
Let me remind you that we also talked about the fact that Fake Windows 11 installers download RedLine malware onto computers, and also that Windows 11 is incompatible with applications that use non-ASCII registry keys.
The new feature is currently only available on Windows 11 22H2 and is not yet enabled by default. To activate it, you need to sign in to Windows with your password, and not use Windows Hello. That is, when using a PIN code to log into Windows, the function will not work.
If Enhanced Phishing Protection is active and detects that the user is entering the Windows password in the wrong place, it will display a warning prompting the user to remove the password from the insecure file or, if it was entered on the site, change the Windows password.
Users can enable the new feature in the settings: Start -> Settings -> Privacy & security -> Windows Security -> App & browser control -> Reputation-based protection. In the Phishing protection section, they can find two new options: Warn me about password reuse and Warn me about unsafe password storage.
Bleeping Computer journalists write that they tested the new feature and entered the password in WordPad, Microsoft Word 2019, Excel 2019, OneNote and Notepad2. Moreover, it was not possible to test the new protection in Microsoft 365, although, according to Microsoft, it should be supported.
Windows 11 warned journalists about the insecurity of saving a password in WordPad and Microsoft Word, but unexpectedly did not warn when entering a password in Excel, OneNote and Notepad2.
The publication also tested the password reuse feature by trying to log into Twitter with a Windows password using Google Chrome and Microsoft Edge. In both cases, the protection worked as it should, and the system offered to change the password, but later it turned out that Enhanced Phishing Protection does not work in the Mozilla Firefox browser.
Journalists summarize that Microsoft should expand the feature and add support for more browsers and applications.