Microsoft is taking Windows 11’s enhanced phishing protection one step further by testing a new feature that notifies users when they copy and paste their Windows password into websites and documents.

With the release of Windows 11 22H2, Microsoft introduced a new security feature called Enhanced Phishing protection, designed to protect your Windows domain and Active Directory credentials from being obtained by malicious actors.

One of the most common methods hackers use to gain access to websites or a corporate network is to buy or steal corporate credentials. These credentials are obtained initially through phishing attacks or via information-stealing malware.

Threat actors use these stolen credentials to gain access to other accounts used by the Windows user, including email accounts, bank accounts, and cryptocurrency trading accounts. Worse, these stolen accounts can be used to gain access to corporate networks, allowing hackers to spread laterally across a network to conduct BEC scams, data theft, supply chain attacks, and ransomware attacks.

The number of stolen credentials is a massive and widespread problem, with cybercrime markets sell billions of credentials and authentication cookies and more specialized sites sell over a million remote desktop ids.

Due to this widespread abuse, law enforcement actively targets markets for stolen credentials as part of law enforcement operations, enter the WT1SHOP in 2022, and more recently, disassemble genesis market.

Windows 11 Enhanced Phishing Protection

When Microsoft first introduced the new Windows Enhanced Phishing Protection, it only warned users when they manually typed their Windows password into a document or web login page.

However, since users are generally advised to use password managers to create strong, unique passwords for all their logins, many people copy and paste their passwords from the password manager into their login prompts.

Since the function did not protect against copy-paste before, it would bypass the Windows security feature.

With the release of Windows 11 Insider Dev build 23506, Microsoft has improved the Phishing Protection feature by now detecting the copy-paste of a user’s Windows password.

“We are trying a change from this release where users who have Windows Security warning options enabled under Application and browser control > Reputation-based protection > Phishing protection will see a UI warning about insecure password copy-paste, just as they currently see when entering their password,” reads the Development version release notes.

As this feature is not enabled by default, Windows users should enable it by accessing Windows Security > Application and browser control > Reputation-based protection > Phishing Protection and check all three options as shown below.

When enabled, this feature will notify users when they type or copy and paste their Windows login password into forms or website documents.

This alert will be titled “Password Reuse is a Security Risk” and will warn users to reset their Windows account password, referring to this supporting document.

“If your password is stolen on this site, attackers will also use it on other sites. Use strong, unique passwords to protect your personal information,” the Windows Phishing Protection alert says.

“Microsoft recommends changing your local Windows account password.”

While our previous Windows Enhanced Phishing Protection test showed it didn’t work with some apps, such as Firefox and Excel, today’s tests show it’s been fixed, making the feature more robust.

However, it still doesn’t work with other third-party apps that might be commonly used to store passwords, such as Notepad2, Notepad++, and probably many more.

Microsoft has also introduced a new phishing protection setting “Warn others about suspicious apps and sites”, but there is no information about this new setting and who “others” represents.

Microsoft did not respond to our questions regarding this new setting.

Finally, it should be noted that the anti-phishing protection function of Windows 11 does not work if you use Windows Hello, such as the PIN code or biometrics, to log in to Windows.

For this feature to work, Windows users must log in with a password so that it is cached in memory and can be compared to typed text (typed or copied and pasted).

As this feature can be a powerful tool for protecting corporate credentials, instantly alerting administrators when a user reuses their Windows password, trading the convenience of Windows Hello for better security is well worth it.

It is recommended that all Windows users enable this security feature in Windows Security, although it does not currently support all applications.