New enhancements to Phishing Filter protection for IE

Hello, I’m John Scarrow and am the general manager for the Anti-Spam and Anti-Phishing Team at Microsoft. My team developed and runs the Microsoft Phishing Filter you’ve seen for the current beta of Internet Explorer for Windows Vista and Internet Explorer 7 for Windows XP, and I wanted to follow up on previous posts about the Phishing Filter to highlight some news from today. 

Today Microsoft announced agreements with three new data providers – Cyota Inc., Internet Identity and MarkMonitor – who will regularly supply information to us on thousands of confirmed phishing Web sites to help ensure the URL reputation service that helps power the Phishing Filter is running with the latest information on known attacks that the industry can provide. We use this information in combination with the information reported to us directly by our customers through the Phishing Filter itself to help quickly block known phishing scams once they are reported.  In fact, the service is actually updated several times an hour to help ensure the protection is pushed to users as quickly as possible.

For those of you familiar with how the service works, I should also say that we of course also still use machine-learning heuristics to scan pages for phishy characteristics to determine whether a warning is needed – which is particularly helpful in the space of time between when a phishing attack begins and when it gets reported to the service. But this dynamic reporting and blocking system for known bad sites is critically important for helping protect our customers and I’m excited that we’ve got some great new data providers on board to help.

Before you ask, these data providers won’t necessarily be the last or only companies that will provide this service for us – although we are anticipating great results with the data they can provide. So you know, we use a standardized process to work with interested organizations to determine opportunities to provide this kind of service to help feed our overall mix of data sources.  So, if you happen to know of a company or organization you think we should be working with, definitely let us know!

In related news, you may also be interested to know that, in addition to including the Phishing Filter technology in IE7, customers using Windows XP SP2 can also get the Phishing Filter with today’s final launch of the Phishing Filter Add-in for the MSN Search Toolbar – downloadable for free at But for those of you who are already beta testing IE7 and Windows Vista, you should already be seeing this filter protection, which will be even better now that we have Cyota, Internet Identity and MarkMonitor on board.

If you want to know more about the Phishing Filter, check out the home page for Anti-Phishing Technologies and if you want more details on today’s announcement, here’s today’s press release on the news:

- John

Comments (38)
  1. From

    "The Phishing Filter Add-in offers access to a new dynamic online service, updated several times an hour to warn you and help protect your personal information from these fraudulent websites by: … Dynamically checking the web sites you visit with up to the hour online information via an online service run by Microsoft and blocking you from sharing personal information if a site is a known phishing website."

    How could this be implemented without uploading all users’ browsing history to Microsoft’s online service?

  2. Anonymous says:

    I’m not seeing where it says anything about uploading your history… It says that it updates the dynamic online service several times an hour and then it checks your history.

    I would suspect that it could be as simple as downloading an XML (or whatever) configuration file and then the addin runs the check on your local history.

    I’d be reluctant to use the service if it uploads the actual history to them, since afterall, the whole purpose of the tool is to PREVENT uploading personal information…….. right? 😉

  3. Anonymous says:

    So now there are 3rd party companies that also get to decide which websites are "safe" for us to see and also get to access the MS databases for such information… this feature just keeps getting better and better (sarcasm)!

  4. Anonymous says:

    Hi, just a couple of things. First of all, I would like to include an article which I put in a previous blog: (, since it has some feedback on the phising filter that you might find useful:

    In addition, I have a nagging question that I would really like to ask: You say that you have this list of ‘known’ phising websites (ie sites that you are aware intentionally steal users details and gives them to criminals), that is apparently updated several times an hour, but what I would really like to know what you will be doing with this list other than just storing it somewhere? For example, will you be atempting to shut these sites down, or reporting them periodically to the relevant authorities etc? It’s just that I feel this would probably be more useful than simply telling users they are there.

    I’m sorry if this may seem like a really odvious question, or if you’ve stated it somewhere else. It’s just that I can’t really remember seeing anything like this mentioned in any of the other blogs about the phising filter.

    Thanks for any response.

  5. Anonymous says:

    BT Wholesale ( here in the UK is the major Internet access network provider for home users, so perhaps you could have them as a partner too, which could involve the filter database being mirrored within the UK, for a faster response time, and fail safe if the connection between the US and UK were affected in any major way.

  6. Bruce Morgan [MSFT] says:

    Sam, you can read about "Microsoft’s Approach to Anti-Phishing" at, linked from the Anti-Phishing Technologies page above. You can read about 3 part approach of technology, industry and government collaboration, and customer awareness and education.

  7. Anonymous says:


    does this add-in works on German Systems?

    Will this add-in available in localized versions? If yes, when?

    Is this add-in included in MSN Search Toolbar?



  8. PatriotB says:

    codemastr – If it were the other way around (MS being the only one determining the phishing sites) people would complain just as much. In fact I think there were people on this blog months ago mentioning that they wouldn’t trust the filter’s determinations because MS was the only one behind it.

    I think bringing in third party expertise is wise and commendable.

  9. Anonymous says:

    Bruce, excellent link, it was exactly what I was looking for and teaches me to do my homework little next time, lol.


  10. Mike_J says:

    There are many ways to protect internet users. Phishing filter is one of them. How about HTTPS’ lock sign? Without this lock sign user should not put their credit card number. Following this lock sign, more than half phishing attempts will fail. But the IE’s lock sign is so small. Many people will ignore this important icon. To improve this, several examples already exist. Such as FireFox puts yellow background in the address bar, Opera has extra information for the HTTPS site. They are very obvious. I remember some person suggested putting a border around secured web page. Tablane browser put strong colour in the address bar as well as in the Tab if the site is HTTPS. So, what is IE’s solution for it?

    Also, if we can get the site’s location, that will be helpful. Although the domain names and domain hosting are messy among regions and countries, at least the location gives people extra information to judge.

    One biggest loop hole in the phishing battle is through email, because it is not easy to identify the sender. It can pretend to be from any legitimate company or organization. Will this be changed in the future? Or in the email system to check the phishing site before open it?

  11. This is what I was referring to, from the earlier blog post. I feel this amounts to a significant subset of the browse history.

    What information is sent to Microsoft for checking a website

    Phishing Filter does not check every URL on the Microsoft server. It only sends those which are not on a known list of OK sites or those that appear suspicious based on heuristics. If an URL is checked on the Microsoft server, first the URL is stripped down to the path to help remove personal information, then the remaining URL is sent over a secure SSL connection. The communication with the Microsoft server is done asynchronously so that there is little to no effect on your browsing experience.

  12. Anonymous says:

    "If it were the other way around (MS being the only one determining the phishing sites) people would complain just as much. In fact I think there were people on this blog months ago mentioning that they wouldn’t trust the filter’s determinations because MS was the only one behind it."

    You’re absolutely right. Which is once again why I recommend that the database be locally stored on our machines rather than on MS’s server. I’ve already said, with the current design I will not be using the phishing filter and I’ll be encouraging others to disable it as well. We trade the *possibility* of a phishing attack for the *guarantee* of a privacy leak.

  13. Anonymous says:

    You know this is all well and good.

    But I can’t help noticing that while we continue to get titbits of news on IE development, the Firefox team keeps releasing new beta and RC versions – which work pretty good too.

    How about letting people experience some of the new IE features for themselves some time soon ?

  14. Anonymous says:

    Hm, I see several problems coming up with this "enhancement". First of all, I hate IDN, which is one of the main problems when being phished. There are several characters in foreign languages that looks like a normal char. Think about the IDN security warning on Firefox forums some month ago (Which had a 1 second workaround 30 minutes after the security issue was found and was fixed in the next Firefox release.) and IE7 will support IDN. Well, I hope they get the clue and integrate it in that way Firefox does (Well, my opinion about IE7 – what I read about IE7 until today – is, that it’s a simple ripoff Firefox & several browser replacements for IE like MyIE, Crazy Browser, AvantBrowser and so on.).

    A centralized anti-phishing database sounds ok. (sarcasm found?) Well, it’s not ok, it’s not ok in the same way like TCPA (aka Palladium). Too many unknown facts, too many possibilities to spy on a user.

    Sorry IETeam, its not your fault, but the company you are working for, well, lets say, Orson Wells "1984" is a little joke compared to the possibilities such a database and Palladium will give to Microsoft.

  15. Anonymous says:

    Sorry, I can’t believe your destructive comments. First of all, Microsoft is trying to protect less experienced users (end users are gullible as we can read from the press).

    Then, if you are not happy how the phishing filter works – JUST USE FIREFOX and shut up – another option is to deactivate the filter at all within internet explorer.

    I’m sorry for my post, but if you have a comment on functionalities keep them coming but stop with your comparisons with other browsers.

    Thank you.

  16. Anonymous says:

    "In fact, the service is actually updated several times an hour…"

    "…these data providers won’t necessarily be the last or only companies that will provide this service for us…"

    Two very enthusiastic thumbs up!

  17. Anonymous says:

    How did you backport IE to 16-bit Windows, and why 32-bit IE won’t run in Windows NT 3.51?

  18. Anonymous says:

    "Sorry, I can’t believe your destructive comments. First of all, Microsoft is trying to protect less experienced users (end users are gullible as we can read from the press). "

    It is my contention that this feature will HURT users. Hence why I, and so many others are opposed to it. Unlike Michael, I have always and probably will always use IE.

    But as a user, I feel it is my obligation to make sure IE7 does indeed protect users. In my mind, a centralized phishing database (again, something that other protection utilities – antispyware, antivirus, antispam, etc.) have managed to avoid, yet Microsoft claims is a must for a phishing filter.

    The centralized nature of the phishing filter is a recipe for abuse. Did everyone forget about the AOL employee who sold email addresses of AOL customers to spammers? Who says some disgruntled MS employee won’t sell our browsing history (which this feature has the potential to allow them to access) to marketing companies, or worse?

    We can’t even see the contents of the information being sent to MS because it’s encrypted. So basically, we know IE7 sends "something" to Microsoft. What the information is, and what MS will do it with, we have no idea, other than MS’s assurances that they are doing it to "protect us."

    This is an area wherein I agree with the communism analogy, though I’d choose Animal Farm over 1984 [and the author is George Orwell, not Orson Wells] "No one believes more firmly than Comrade Napoleon that all animals are equal. He would be only too happy to let you make your decisions for yourselves. But sometimes you might make the wrong decisions, comrades, and then where should we be?" – in essence, Microsoft tells us that we are incapable of detecting the threats locally. They provide no justification for this reasoning other than to say, "it’s what needs to be done." Hence, they expect us to trust them without giving us any reason to do so.

    All I, and many others, ask is that Microsoft design their system in such a way that it does not promote abuse. I really don’t think that’s too much to ask. However, Microsoft has all but ignored these requests and continues to insist that an implementation that invades our privacy is the best way to go. Perhaps their reasoning is benevolent, but without a good explanation, and based on MS’s track record, I feel it is more likely to believe it is nefarious, and I am not the only one who believes so.

  19. Anonymous says:

    codemastr, your arguments contain red herrings and flat out distortion.

    First, even if the phishing websites were stored locally, they would have to be downloaded from somewhere. Therefore, there is still a "centralized" store of phishing websites. Antispyware, antivirus, antispam products do not preclude the centralized store maintained by the vendor, they simply download the list every so often. The master list is still controlled at the source, and most people will never even look at the downloaded list, just as most people will never care about the master list at the phishing server. The slower turnover rate of virii, malware and spam detectors allows companies to take this model.

    The explanation for the master list at the server rather than a downloaded one has been given, you’ve just chosen to ignore it and instead provide a baseless ad hominem analogy to paint this as some sinister decision. The phishing sites change with a high enough frequency that a design that demands a downloaded list would be: (a) extremely costly for the company maintaining the list (b) laggy for legit institutions trying to challenge their place on the list (c) laggy for consumers trying to get the latest list of phishing sites. You either end up downloading all the time (what’s a good interval? One day? One week? One hour?) to keep up, or you fall behind. Keeping it server side allows the list to be continuously updated with significantly less cost to the operator and substantially greater benefit to the consumer.

    Furthermore, as has been pointed out, there are client side heuristics that are used independent of the master list that help to determine if a site appears "phishy". And finally, it’s an OPT-IN feature. Don’t like it, don’t subscribe to the "sinister" service. I personally turn it off, since I figure I don’t need it, but hey, it’s YOUR choice.

    But hey, let’s not let good arguments get in the way of a good anti-MS rant, right?

  20. Anonymous says:

    ‘First, even if the phishing websites were stored locally, they would have to be downloaded from somewhere. Therefore, there is still a "centralized" store of phishing websites’

    You’ve decided to glance over the entire point of my post. I am not opposed to MS creating the list, of course an external source has to create the list, otherwise it means I create the list and then there is no point to the filter to begin with! However, the fact that I have to download a list from MS does not give MS the ability to view my browsing history. However, sending a query to their server when I go to various websites does. That is where my problem lies. To provide a very apt analogy, just because I run Norton Antispam doesn’t mean Norton gets a copy of my emails to determine if they are spam – the checking is done locally. Just because I run McAfee VirusScan doesn’t mean McAfee gets a copy of each file on my computer – the checking is done locally. On the contrary, just because I run IE7’s phishing filter, it DOES mean MS gets a copy of my browsing history. Now do you see the difference? I definitely want some outside source to maintain the list, I simply don’t want them to have my personal information.

    ‘phishing sites change with a high enough frequency that a design that demands a downloaded list’

    You’re right, MS did say this. However, I see no evidence of its truth. I mean, viruses (by the way, the word is viruses, not virii) are released daily, if not hourly. You seem to think they have a "slower turnover rate," that’s complete nonsense. Read any respected text on viruses and you’ll undoubtedly learn of zero-hour virus infection. However, little or no scholarly research in the area suggests server-side scanning, rather improved heuristics and user education. I would venture to say that viruses and spam alter themselves more so than does phishing (spam detection is often referred to as a game of cat and mouse because each time a new detection strategy is devised, a new way to evade it follows within hours). Hence, this point is both baseless (no evidence at all has been provided to support its claims) and moot (other detection industries have to deal with threats that change just as quickly and do not need server-side detection).

    ‘You either end up downloading all the time (what’s a good interval? One day? One week? One hour?) to keep up, or you fall behind. Keeping it server side allows the list to be continuously updated with significantly less cost to the operator and substantially greater benefit to the consumer.’

    First of all, it never downloads an entire list. It would clearly work on incremental updates. If nothing has changed in the last 72 hours, then the only thing sent to the server would be the timestamp of the user’s file and the server sending back a message indicating no changes (this is a smaller packet than the way the current system works). I see my method as not increasing cost at all, rather decreasing it. Rather than sending a packet to MS EVERY time I view a website, I only send a packet every X minutes/hours and most of the time there will be no update and nothing needs to be done.

    ‘And finally, it’s an OPT-IN feature’

    Perhaps I’m wrong, but I believe I read it’s an opt-OUT feature. In fact, I am not wrong because this is exactly what Tariq Sharif said. Opt-out is substantially different. Why? Because of fear tactics. "Are you sure you want to disable this? Doing so may leave your computer unprotected from phishing attacks." Hence, unless you are well educated as to what the phishing filter really does, such a message would scare you into leaving it on.

    ‘But hey, let’s not let good arguments get in the way of a good anti-MS rant, right?’

    Yeah and lets not let the truth get in the way of a pro-MS rant, right? If you had read my message you’d clearly see that I said I like IE and I will continue to use IE. I’m not bashing MS at all, I think MS is a fine company that produces some great software titles (Windows XP, IE, Visual Studio, Office, etc.). Right now I’m typing this message into IE running on my MS Windows machine. I have several thousands of dollars worth of MS software. You see, you seem to think criticism is a "rant." I’m suggesting ways to make the phishing filter better. Show me where I said "I hate MS" or "screw IE, use Firefox," you won’t find it. What you will see is constructive criticism of how I believe IE7 can be made to be the best browser available. If you consider that a "rant" I most certainly hope you never enter the real-world because if you can’t handle constructive criticism, you won’t get very far in life. I want to see IE7 regain it’s marketshare that has been lost to Firefox. In my mind, the phishing filter as presently designed will not do this; it will allow it to further slip. I am proposing my suggestions as to how this can be rectified.

  21. Anonymous says:

    Hi again guys.

    This is just a completely random thought that has literally just popped into my head a minute or so ago. I don’t know of all the technical issues involved in this, or whether or not you’re doing it already, but will you be using all this anti – phising technology anywhere within MSN search to filter out possible phising pages from a users results? In the very least you could check that list that you are gathering against your search index and remove any which match. Plus, use all those heuristics or whatever to scan the remaining stuff and remove anything that looks suspicious. If your not already doing something similar, I really think it would be a great idea as it would make searching a lot safer, regardless of whether or not you’re using IE 7.

    Also, in a completly unrelated enquiry, I would just like to know whether or not you’ll be improving the pop – up blocker within IE 7. I mean I’m sorry, but even on the ‘high’ setting it still doesn’t seem to block all of them.

    The only reason I’m pretty sure it’s the pop – up blocker and not something on my computer is because I’ve heard a couple of other people on these very blogs saying the exact same thing, even mentioning how people have found ways to bypass it.

    It would be really nice to hear something from you guys on this, as this isn’t something I can remember hearing too much about here.


  22. Anonymous says:

    Hi there,quite off topic, but i wanted to give it a try at least:

    We are using the web control in Visual Basic 5 / 6 which is afaik the ie as component.

    Now we experienced that with the ie 7 beta, this component does not work any more.

    Is this a beta issue an will be fixed with release of the final?

    Or will the ie 7 components remain incompatible to VB 5 & 6, so that displaying HTML Content in our apps will be no more possible in future, if ie 7 is installed?



  23. PatriotB says:

    Serious Sam — There seem to be two ActiveX components that allow popups, which are currently not blocked by the popup blocker. These are "HTML Document" and "DHTML Edit Control Safe for Scripting for IE5". Blocking these through Manage Add-ons should prevent the popups… although I urge Microsoft to fix the root cause of the problem.

    Markus — I’ve read about people having problems with the WebBrowser control after upgrading to IE7. I believe it has to do with the move of the control and typelib from shdocvw.dll to ieframe.dll. I’m not sure what the solution is though.

  24. Anonymous says:

    PatriotB – Thanks for the response on this and not least the for solution, I just hope that with it being here it’ll also benefit others as well.

    I definitely agree that the IE team should do something about this and given what you’ve said, it wouldn’t even have to be just for IE 7, either. I mean, I’m sure it’s not as easy as I’m about to make out, but surely it’s just a case of releasing a new patch or update which simply tells the pop – up blocker to block these two Active X components.

    I’m sorry if it’s far more technical than this, but I just can’t see how it is. That is after all the very reason patches are released – to either simply correct a flaw that could be potentially exploited, or change the way something behaves that so it is less vulnerable.

  25. Anonymous says:

    I’m not a big fan of this. I think this is the realm of user-updated anti-virus/firewall software.. I can’t believe microsoft would want to give themselves the headache of handling the traffic for every url clicked, and I sure wouldn’t want my browser waiting for a response from microsoft. I think they should make a " ? " button next to the go button that would submit a specific url to microsoft to validate, instead or trying to implement this technology 100% of the time. That’s just my 2 cents.

  26. Anonymous says:

    Although the technology that these three companies provides is invaluable to some degree. There is a better way to fend off phishing scams through the use of Email Domain Name Verification. When you recieve an email ,this is were %99 percent of all phishing scams originate, any and all web site URL’s that are in the body of the message are crossed referenced against a whois database. Therefore giving protection to the end user against phishing in real time! An IE add-on would ensure web based email from various other entities is also protected by the web browser. I have already created and tested this program using AppleScript and Mail. I know it works and it works well. Just a thought.

    J. Gund

  27. Anonymous says:

    1. I think codemastr is quite right in his analysis…IE anti-phising filter could work that way without diminishing the benefits of the IE filter itself while keeping "privacy" as a core thought…

    2. However if IE filter would stick to reporting centrally something to MS while the users browses, why not merely reporting the SHA-256 of the URL instead of URLs themselves and have the DB be fed with hashes instead of URLs ?

    3. IE team talks about heuristics to detects what would be suspicious websites ? Is there a description:process somewhere allowing people to avoid their website to be reported erroneously as "suspicious" due to heuristics normal error rates ?

  28. Anonymous says:

    HF, regarding your hash idea, this too has been suggested. However, to my knowledge Microsoft never posted a detailed reason of why it cannot be done. If I recall, they just said something like "it’s not specific enough," or words to that effect.

    I definitely think hashing is a good idea. As someone previously pointed out, a URL can contain sensitive info. Yes, the phishing filter strips off after the ? (which in terms of detecting phishing is bad because as I previously mentioned, all someone needs to do to avoid the phishing filter is = good site, = phishing site and IE will not detect it). However, sensitive info exists elsewhere in a URL. For example, I access a site that does something along the lines of So anytime I view that site, MS will have my employee ID number, something they have no business having. Using a path to store information is not exactly uncommon.

    And once again, we only have MS’s assurances that everything after the ? is cut off since the packet is encrypted and we cannot see its contents.

    Hashing the URL would allow both the path and query string to be sent to MS with confidence. For example, MS won’t receive they’ll just get a hashed value, meaning though the entire URL is sent, they don’t know my password. They can even send 2 or 3 hashes, one of just the domain, one of the domain/path, and one of the domain/path?query so that multiple levels of matching can be accomplished.

    Of course there are still some ways MS can retrieve the URL from this which makes it not ideal. For example, the database can, as I have previously pointed out, store common websites. The example I cited is, MS could compute the hash of,, etc. and store the hash along with the URL. MS could then use this data to see how many people are choosing other web portals over its own MSN Search. Granted, this only will work for websites that MS stores the URL for which means common sites, but as that example illustrates, it can be used for privacy invading purposes.

  29. So far several more privacy-friendly ways of implementing the bad-site lookup have been suggested:

    The hash lookup similar to what Vipul’s Razor uses (for Cloudmark) as an anti-spam technique. This works well for email because the "database of known hashes" is necessarily small. It will be somewhat less useful for URLs but still better than the current system.

    The push-the-list-to-the-clients similar to what antivirus systems use. I suppose a drawback of this method is that the database could be hacked and the list of bad sites enumerated.

    I wonder if the two methods could be combined?

    1) Generate a hash for all the bad sites

    2) Push the list of hashes to the clients

    Then a site owner can easily test their own sites by computing the hash of their site and checking to see if that is listed.

    Clients can compute the hash of any URL they’re about to visit and check the LOCALLY STORED hash list to see if that hash is suspect.

    Microsoft could still have a service which simply responded with the timestamp of the latest version of the list. That would allow the client to know when it was time to update.

  30. I’m beginning to see some justifications for the service model where the URL is sent unhashed.

    Phisher tricks are common.

    Existing tricks are things like wildcard DNS:

    Phisher owns

    Phisher sends out random-string web sites that work because of wildcarded DNS:

    Or even simple case mixing:


    Adding a period:

    Listening on many nonstandard ports:

    Using custom 404 pages:

    If the service model is kept, then the checking algorithm can be updated to work around these tricks without having to update all the clients… only the server would need to be updated

  31. Anonymous says:

    ‘2. However if IE filter would stick to reporting centrally something to MS while the users browses, why not merely reporting the SHA-256 of the URL instead of URLs themselves and have the DB be fed with hashes instead of URLs ? ‘

    If you give this 3 seconds of thought, you’ll understand that sending a hash to the organization that generates the hashes is pointless. MS will already know what URL a particular hash points to because they’d need to have generated the hash from the URL in the first place. So sending them some cryptic SHA-256 hash is a waste of CPU cycles because it does not solve the "OMG MICROSOFT WILL KNOW WHERE I’M BROWSING!!!!!!!!!!!!!!" paranoia.

    Not to mention they have given specific reasons. For example, would hash to one value, and would hash to another value, so now you either a) end up storing hashs of every possible variation of every possible malicious site, or b) you break the URL into pieces and compare hashes of the various pieces.

    And as I already said, none of this protects your privacy in any way.

  32. IE7 – フィッシング詐欺検出機能

Comments are closed.

Skip to main content