2 min Security

Microsoft Defender floods users with false password notifications

Microsoft Defender floods users with false password notifications

Microsoft Defender for Endpoint has inundated system administrators with false alerts. The service flagged multiple sites for supposedly reusing passwords. Despite complaints from administrators, there has been no clear explanation from the tech giant.

Users have denied reusing passwords on the sites flagged by the system. However, multiple subdomains of SaaS platforms have been flagged for password reuse. Some administrators believe the issue may have arisen from Defender for Endpoint incorrectly flagging SSO domains as needing attention.

One user wrote that they had received 17 false positives for password reuse in a single day, and many alerts were accompanied with “about:blank” as the supposed domain containing password reuse.

Phishing

The warning message itself is seemingly absent from Microsoft’s documentation. The alerts come only from Windows 11 devices, and almost all relate to purported password reuse on Microsoft domains. Numerous commenters have appeared in a six-month-old thread seeking help with inexplicable alerts they have received.

One user suggested on Twitter that the problem could be linked to enhanced phishing protection brought in by Microsoft in September 2022. The company intended to warn users against reusing passwords. However, Microsoft Defender has incorrectly inundated users with warnings on multiple prior occasions.

In September 2022, the app confused software for ransomware, including popular browsers and productivity apps such as Chrome, Slack, and Microsoft Edge.

This, too, shall get a fix

Microsoft addressed other false positives in January 2023 after a faulty update deleted shortcuts incorrectly identified as malware. Although Microsoft has released scripts to fix the issue, some administrators stated that these were imperfect and have failed to rectify matters fully.

A recent update for Microsoft Defender Antivirus also led to confusion among developers, who, upon updating, received a warning stating that Local Security Authority (LSA) Protection had been disabled.

Microsoft released a workaround for the issue. However, a subsequent update appears to have disabled LSA altogether on Windows 11 systems in favour of a new process titled ‘Kernel-mode Hardware-enforced Stack Protection.’

Also read: New version Microsoft Teams twice as fast as current app