System administrators have reported an abudance of alerts from Microsoft Defender for Endpoint, with multiple sites falsely flagged as having reused passwords.
A number of admins complained that they are receiving alerts that read “Password reuse activity was detected by Microsoft Defender for Endpoint” with no clear explanation from the software.
Users denied having reused passwords on the sites flagged by the system, while others have stated that multiple subdomains of software as a service (SaaS) platforms have been flagged as containing password reuse.
Many admins indicated that the problem could have arisen from Defender for Endpoint incorrectly flagging single sign-on (SSO) domains as needing attention.
“We now have 17 alerts today for Password Reuse. Everyone I have looked at is a false positive,” one user wrote.
They also noted that some alerts come with “about:blank” as the supposed domain containing password reuse, and that in one case a user was accused of “password reuse over three services, listing three subdomains of the same SaaS”.
The warning message itself is seemingly absent from Microsoft documentation.
"We determined these are false positive results and we have resolved this," a Microsoft spokesperson told ITPro.
"No customer action is needed."
More than a number: Your risk score explained
Understanding risk score calculations
According to accounts from multiple commenters, the alerts appear to only be coming from Windows 11 devices and almost all relate to supposed password reuse on Microsoft domains.
“Yup same here, we are getting obliterated with alerts. The alerts are only coming from Win 11 devices,” wrote another.
Dozens of new commenters have appeared in a six-month-old thread covering the same issue, seeking help with inexplicable alerts that they too have received.
In a Twitter exchange on the issue, one user suggested that the problem could be linked to enhanced phishing protection brought in by Microsoft in September 2022.
This is intended to warn users against reusing passwords.
All this is related to SSO and OAuth and the only URI being flagged is https://t.co/oZk8RKMK00 (with various URLs)But yeah, fun trying to explain the user is not even entering a password 😬April 20, 2023
Microsoft Defender has incorrectly inundated users with warnings on multiple prior occasions.
In September 2022, the app caused confusion after flagging software as ransomware, including popular browsers and productivity apps such as Chrome, Slack, and Microsoft Edge.
Further false positives were addressed by Microsoft in January 2023, after a faulty update deleted shortcuts that had been incorrectly identified as malware.
Microsoft released scripts to fix the issue, though some administrators stated that these were imperfect and failed to fully rectify matters.
A recent update for Microsoft Defender Antivirus also led to confusion among devs, who upon updating received a warning stating that Local Security Authority (LSA) Protection - a process used to authenticate and oversee user logins - had been disabled.
Microsoft released a workaround for the issue, though a subsequent update appears to have disabled LSA altogether on Windows 11 systems in favor of a new process titled ‘Kernel-mode Hardware-enforced Stack Protection’.
This article has been updated to include a statement from Microsoft.
