Protecting against typosquatting with website typo protection in Microsoft Edge

This week is a short post about website typo protection in Microsoft Edge. That subject was briefly mentioned earlier when discussing Enhanced Security Mode in this blog post about tightening browser security in Microsoft Edge. This week is mainly focused on awareness for website typo protection. Website typo protection is aimed at protecting users against typosquatting. Typosquatting is intended to hijack traffic of users that meant to visit well-known sites, but that made a spelling mistake. That hijacking is achieved by using addresses with common misspellings or typographical errors of those well-known sites. Often that is used as prank, ad, or (friendly) competition, but more and more often that is also being used for phishing and malware. In the latter cases, users will get to a website that may look the same as the original website, but that is actually used to steal personal information or to install malware. With website typo protection, Microsoft Edge will warn the user when misspelling or mistyping a common domain name. This post will look closer at the configuration, followed with the user experience.

Note: Website typo protection is enabled by default in Microsoft Edge. This post is mainly focused on creating awareness and making sure that website typo protection is enabled and enforced.

Configuring website typo protection in Microsoft Edge

The configuration of website typo protection in Microsoft Edge is actually pretty straightforward when using Microsoft Intune. The configuration can be managed via the Settings Catalog. The Settings Catalog contains ADMX-backed settings for Microsoft Edge. Those settings are backed by the MSEdge.admx. The main setting itself is TyposquattingCheckerEnabled with Configure Edge Website Typo Protection as friendly name. As an IT administrator this setting is only a few clicks away nowadays and doesn’t require any really challenging configurations anymore. The following 8 steps can be used to enable and enforce website typo protection, by using Settings Catalog.

1. Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
2. On the Windows | Configuration profiles blade, click Create > New Policy
3. On the Create a profile blade, select Windows 10 and later > Settings catalog and click Create
4. On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
5. On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next

• Click Add settings, navigate to Microsoft Edge and select Typosquatting Checker settings > Configure Edge Website Typo Protection (TyposquattingCheckerEnabled) in Settings picker
• Switch the slider with Configure Edge Website Typo Protection to Enabled to enable website typo protection

6. On the Scope tags page, configure the required scope tags and click Next
7. On the Assignments page, configure the assignment for the required user or devices and click Next
8. On the Review + create page, verify the configuration and click Create

Note: For creating exceptions look at using Configure the list of domains for which Edge Website Typo Protection won’t trigger warnings (TyposquattingAllowListDomains) and for preventing users to bypass prompts look at using Prevent bypassing Edge Website Typo Protection prompts for sites (PreventTyposquattingPromptOverride).

Experiencing website typo protection in Microsoft Edge

When the configuration is in place, it can be pretty straightforward to experience website typo protection Microsoft Edge. It does, however, also depend on the configuration of Microsoft Edge. On many occasions, Microsoft Edge will already capture the behavior with different notifications about the connection not being secure. An easy example to trigger website typo protection is shown below in Figure 2. That will directly prompt the user with the verification around the website that was provided. That notification will ask the user if the website is correct and if the user didn’t mean to be on a different website. That information will stay available for the user when clicking on the Not secure notification in front of the address bar, as shown below in Figure 3.

More information

For more information about scareware in Microsoft Edge, refer to the following docs.

• Microsoft Edge Browser Policy Documentation | Microsoft Learn
• Microsoft Edge for Business Recommended Configuration Settings | Microsoft Learn
• How Microsoft Edge Can Protect You from Typosquatting | Edge Learning Center