New Update Enhanced Phishing Protection in Microsoft Defender SmartScreen

[oldschool]

• Article
• 07/10/2024
• 5 contributors
• Applies to: Windows 11, version 22H2

Feedback

In this article​

1. Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
2. Windows edition and licensing requirements
3. Configure Enhanced Phishing Protection for your organization
4. Related articles

Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.

If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways:

• If users type or paste their work or school password on any browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
• Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and alert them to change their password.
• Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
• If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.

Note
When a user signs in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint (MDE).

Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen​

Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:

• Anti-phishing support: Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content.
• Secure operating system integration: Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them.
• Unparalleled telemetry shared throughout Microsoft's security suite: Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you can see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment.
• Easy management through Group Policy and Microsoft Intune: Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled.

Windows edition and licensing requirements​

The following table lists the Windows editions that support Enhanced phishing protection with SmartScreen:

Expand table

Windows Pro	Windows Enterprise	Windows Pro Education/SE	Windows Education
Yes	Yes	Yes	Yes

For more information about Windows licensing, see Windows licensing overview.

Configure Enhanced Phishing Protection for your organization​

Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO, or CSP.

Expand table

Setting	Description
Automatic Data Collection	This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app. If you disable this policy setting, Enhanced Phishing Protection won't collect additional content for security analysis when your users enter their work or school password into a suspicious site or app. If this policy isn't set, Enhanced Phishing Protection automatic data collection honors the end user's settings.
Service Enabled	This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off. If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
Notify Malicious	This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.
Notify Password Reuse	This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password. If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it. If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.
Notify Unsafe App	This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps. If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps. If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.

Enhanced Phishing Protection allows organizations to add their custom identity provider sign-in URL as a recognized URL. Then Enhanced Phishing Protection doesn't consider Microsoft passwords typed into an internal identity provider (IdP) as unknown or password reuse. Without knowledge of an enterprise's custom identity provider URL, SmartScreen might not have enough information about the URL. If you configure warning dialogs for Enhanced Phishing Protection, it might show an unsafe password usage dialog to the user entering their Microsoft password into the URL.

To add your organization's custom sign-in URL to Enhanced Phishing Protection, configure the EnableWebSignIn policy in the Authentication Policy CSP. For more information, see Web sign-in for Windows.

Follow these instructions to configure your devices using either Microsoft Intune, GPO, or CSP.

• Intune
• GPO
• CSP

To configure devices using Microsoft Intune, create a Settings catalog policy, and use the settings listed under the category SmartScreen > Enhanced Phishing Protection:

• Automatic Data Collection
• Service Enabled
• Notify Malicious
• Notify Password Reuse
• Notify Unsafe App

Assign the policy to a security group that contains as members the devices or users that you want to configure.

Recommended settings for your organization​

By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.

Expand table

Setting	Default Value	Recommendation
Automatic Data Collection	Enabled for domain joined devices or devices enrolled with MDM. Disabled for all other devices.	Enabled: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
Service Enabled	Enabled	Enabled: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.
Notify Malicious	Disabled for devices onboarded to MDE. Enabled for all other devices.	Enabled: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.
Notify Password Reuse	Disabled	Enabled: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.
Notify Unsafe App	Disabled	Enabled: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.

To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.

• Intune
• GPO
• CSP

Expand table

Settings catalog element	Recommended value
Automatic Data Collection	Enabled
Service Enabled	Enabled
Notify Malicious	Enabled
Notify Password Reuse	Enabled
Notify Unsafe App	Enabled

You may read more at Microsoft Defender SmartScreen overview
See this for configuration options Enable or Disable Microsoft Defender SmartScreen Phishing Protection Windows 11 Tutorial

 

[oldschool]

Please note that above Enhanced Phishing Protection applies to Windows Pro and higher editions.

 

[Dave Russo]

Rats just saw my smart screen was turned off and I have to reinstall Windows to reactivate, I am going to try finding out if I can do this without going back to windows home (not having Extra phishing protection) and also having to reinstall programs

 

[oldschool]

Rats just saw my smart screen was turned off and I have to reinstall Windows to reactivate, I am going to try finding out if I can do this without going back to windows home (not having Extra phishing protection) and also having to reinstall programs

You shouldn't have to reinstall. Use Windows Security. R u using Pro version?
OTH, once SAC is disabled it may only be re-enabled via clean install or reset.

 

[Vitali Ortzi]

Is it possible to get smart screen inside chrome or other browsers that aren't edge ?
(For pishing protection)

 

[oldschool]

Is it possible to get smart screen inside chrome or other browsers that aren't edge ?
(For pishing protection)

Since you're using Chrome, why not enable the real-time version of Enhanced Safe Browsing? If you insist on MS protection, use this.

Microsoft Defender Browser Protection - Chrome Web Store

Protect yourself against online threats, like phishing and malicious websites, with real-time protection from Microsoft.

chromewebstore.google.com

 

[simmerskool]

Please note that above Enhanced Phishing Protection applies to Windows Pro and higher editions.

only win11 -- not win10??

 

[oldschool]

only win11 -- not win10??

I haven't used W10 in years, so check your settings page in Windows Security. W10 probably has it too.

 

[simmerskool]

I haven't used W10 in years, so check your settings page in Windows Security. W10 probably has it too.

I checked win10 Windows Security -- SmartScreen for MS Edge is ON but underneath it is PUA setting not Phishing setting.

 

[oldschool]

I checked win10 Windows Security -- SmartScreen for MS Edge is ON but underneath it is PUA setting not Phishing setting.

You probably have W10 Home, not Pro. You're not missing much. This feature only protects your password for machine login, and checks whether you re-use it to sign into other sites, etc.

 

[Vitali Ortzi]

Since you're using Chrome, why not enable the real-time version of Enhanced Safe Browsing? If you insist on MS protection, use this.

Microsoft Defender Browser Protection - Chrome Web Store

Protect yourself against online threats, like phishing and malicious websites, with real-time protection from Microsoft.

chromewebstore.google.com

It's not available anymore on Google web store but I have installed it unpacked after copying it from one of my computers that had the extension and anyway no idea how long it will work as it's already not available anymore on the Google store so I'm looking for an alternative

 

[simmerskool]

You probably have W10 Home, not Pro. You're not missing much. This feature only protects your password for machine login, and checks whether you re-use it to sign into other sites, etc.

I have win10_pro