A noteworthy update in Windows 11 version 22H2 is a phishing protection feature that is designed to protect users against credential theft. Although the feature is designed to improve security, I can’t help but wonder whether it may end up doing the opposite.
To the best of my knowledge, no exploits targeting the Windows 11 Phishing Protection feature exist, but I can certainly envision how such an exploit might work.
If you haven’t seen the Windows 11 Phishing Protection feature yet, you can access it by opening Settings and clicking the Privacy and Security tab. Click on Windows Security, then click on the Open Windows Security button. Lastly, click on App and Browser Control, then on the Reputation-Based Protection Settings link. You can see the Phishing Protection settings shown at the bottom of Figure 1.
Figure 1. The Phishing Protection Settings are found on the Reputation-Based Protection screen.
What Are the Windows 11 Phishing Protection Settings?
As you can see in the figure above, there are three Phishing Protection settings (not counting the option to enable or disable the feature).
The first of these settings is designed to warn the user if they attempt to enter their password into an app or website that is known to be malicious.
The second setting is designed to prevent password reuse. If a user happens to enter their local, Active Directory, Azure Active Directory, or Microsoft Account password onto a third-party site, Windows will warn the user about the dangers of using the same password on multiple sites.
The third setting is intended to warn the user about storing passwords in an unsafe manner. If a user stores their password into a Notepad document, for example, Windows will warn the user about saving their password within a document.
How Might Phishing Protection Be Exploited?
On the surface, the three Windows 11 Phishing Protection settings are harmless.
They are simple features that can generate helpful notifications if users should put their passwords at risk. Even so, I can envision a situation where the third Phishing Protection feature (Warn Me About Unsafe Password Storage) could potentially be exploited as part of a credential-harvesting attack.
Imagine a cybercriminal sends out email messages containing a malicious link. Someone within your organization clicks on that link and causes malware to be downloaded and installed onto their PC. Just to make things interesting, let’s also imagine that the cybercriminal’s ultimate goal is to use the malware to steal the user’s password.
Obviously, a cybercriminal could conceivably accomplish this goal in a million different ways. They might, for example, design malware that acts as a keylogger and sends a record of the user’s keystrokes back to the malware’s author. That would certainly be one way to steal a user’s password. That being the case, I am not trying to say that exploiting the Windows 11 Phishing Protection feature is the only way to steal a user’s password, or even that it is the best option. I am simply making the case that the Phishing Protection feature could be used as an attack vector.
So, with that said, consider how the Warn Me About Unsafe Password Storage feature works. If the user types their password into a document, Windows will warn them that it is unsafe to do so. The user does not even have to save the document. As soon as the password is typed, the warning appears.
Now consider this from the perspective of a cybercriminal who planted malware onto a Windows 11 system. Such a person might design the malware to run on an alternate desktop (outside of the user’s view) and perform a dictionary-based password attack. For example, a malicious script might open Notepad, then add one potential password after another to the document. This could be done in a way that emulates the password being typed rather than being pasted. If one of the words added to the Notepad document happens to be the user’s password, Windows will display a warning. As long as the script can detect when the warning is displayed, it would be relatively easy to determine which list entry triggered the warning and is therefore the user’s password.
Again, I’m not saying that this is the most effective way for an attacker to steal a user’s credentials. Even so, the Windows 11 Phishing Protection feature may ultimately end up becoming something that cybercriminals can exploit for their own benefit.