Microsoft Defender “obliterating” users with false password alerts

Microsoft logo under magnifying glass, which appears in color in place of the Windows key on a standard white Microsoft keyboard
(Image credit: Getty Images)

System administrators have reported an abudance of alerts from Microsoft Defender for Endpoint, with multiple sites falsely flagged as having reused passwords.  

A number of admins complained that they are receiving alerts that read “Password reuse activity was detected by Microsoft Defender for Endpoint” with no clear explanation from the software.

Users denied having reused passwords on the sites flagged by the system, while others have stated that multiple subdomains of software as a service (SaaS) platforms have been flagged as containing password reuse.

Many admins indicated that the problem could have arisen from Defender for Endpoint incorrectly flagging single sign-on (SSO) domains as needing attention.

“We now have 17 alerts today for Password Reuse. Everyone I have looked at is a false positive,” one user wrote.

They also noted that some alerts come with “about:blank” as the supposed domain containing password reuse, and that in one case a user was accused of “password reuse over three services, listing three subdomains of the same SaaS”.

The warning message itself is seemingly absent from Microsoft documentation.

"We determined these are false positive results and we have resolved this," a Microsoft spokesperson told ITPro.

"No customer action is needed."

RELATED RESOURCE

The back of two colleagues looking, and pointing at, a dual screen workstation in an office

(Image credit: Trend Micro)

More than a number: Your risk score explained

Understanding risk score calculations

DOWNLOAD FOR FREE

According to accounts from multiple commenters, the alerts appear to only be coming from Windows 11 devices and almost all relate to supposed password reuse on Microsoft domains.

“Yup same here, we are getting obliterated with alerts. The alerts are only coming from Win 11 devices,” wrote another.

Dozens of new commenters have appeared in a six-month-old thread covering the same issue, seeking help with inexplicable alerts that they too have received.

In a Twitter exchange on the issue, one user suggested that the problem could be linked to enhanced phishing protection brought in by Microsoft in September 2022.

This is intended to warn users against reusing passwords.

Microsoft Defender has incorrectly inundated users with warnings on multiple prior occasions. 

In September 2022, the app caused confusion after flagging software as ransomware, including popular browsers and productivity apps such as Chrome, Slack, and Microsoft Edge.

Further false positives were addressed by Microsoft in January 2023, after a faulty update deleted shortcuts that had been incorrectly identified as malware. 

Microsoft released scripts to fix the issue, though some administrators stated that these were imperfect and failed to fully rectify matters.

A recent update for Microsoft Defender Antivirus also led to confusion among devs, who upon updating received a warning stating that Local Security Authority (LSA) Protection - a process used to authenticate and oversee user logins - had been disabled.

Microsoft released a workaround for the issue, though a subsequent update appears to have disabled LSA altogether on Windows 11 systems in favor of a new process titled ‘Kernel-mode Hardware-enforced Stack Protection’.

This article has been updated to include a statement from Microsoft.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.