Windows 11 22H2 Introduces Enhanced Phishing Protection

The latest Windows 11 22H2 update, released last week, brings a new security feature called Enhanced Phishing Protection. This feature warns users if they enter their Windows password into unsafe applications or websites.

Windows login credentials are especially valuable to cybercriminals, as they often provide access to internal corporate networks, which can then be exploited for data theft or ransomware attacks. Typically, passwords are stolen through phishing attacks or because users save their credentials in insecure applications, such as plain documents or spreadsheets.

To address this issue, Microsoft introduced Enhanced Phishing Protection. According to the company, “SmartScreen detects and protects against entering corporate passwords on known phishing sites or in applications associated with phishing sites; against password reuse in any app or site; and against passwords entered in Notepad, Wordpad, and Microsoft 365 apps. IT administrators can configure which scenarios will trigger warnings for end users using CSP/MDM or group policies.”

Currently, this new feature is available only in Windows 11 22H2 and is not enabled by default. To activate it, you must sign in to Windows with your password, not with Windows Hello. If you use a PIN to log in, the feature will not work.

When Enhanced Phishing Protection is active and detects that a user is entering their Windows password in an unsafe location, it displays a warning suggesting the user remove the password from the unsafe file or, if it was entered on a website, change their Windows password.

How to Enable Enhanced Phishing Protection

To turn on this new feature, go to:

• Start → Settings → Privacy & security → Windows Security → App & browser control → Reputation-based protection.

In the “Phishing protection” section, you’ll find two new options:

• Warn me about password reuse
• Warn me about unsafe password storage

Testing the New Feature

Reporters from Bleeping Computer tested the new feature by entering a Windows password in WordPad, Microsoft Word 2019, Excel 2019, OneNote, and Notepad2. Although Microsoft claims the feature should work in Microsoft 365, they were unable to test it there.

Windows 11 warned the reporters about unsafe password storage in WordPad and Microsoft Word, but unexpectedly did not issue a warning when the password was entered in Excel, OneNote, or Notepad2.

The team also tested the password reuse feature by attempting to log in to Twitter with their Windows password using Google Chrome and Microsoft Edge. In both cases, the protection worked as intended, prompting the user to change their password. However, they discovered that Enhanced Phishing Protection does not work in Mozilla Firefox.

Conclusion

The reporters concluded that Microsoft should expand the feature to support more browsers and applications for broader protection.