Hackers never stop with their antics. One antic that I’ve suspected would become an issue eventually was the addition of website toast notifications via subscribing to a website inside the web browser. You’ve likely seen it before: the website has an option to follow or subscribe and when you do, then every time a new post is created, you get a notification pop up in the lower right-hand corner of the screen.
That’s pretty cool, but it’s just asking for exploitation because that’s also the mechanism which most antivirus applications use to notify the user that they have a potential cybersecurity incident like a virus, malware, or PUP. That’s exactly what malicious actors do, they trick users into subscribing to a website then start creating posts that on the users’ computer will look like antivirus notifications.
The computer is not exploited at this point, but the goal is to get the user to give over control of their computer to the hackers who will pose as an antivirus company or IT support. Here are a few examples of website toast notifications masquerading as an antivirus notification:
I’m seeing this more and more frequently… along with panicked church staff… so today I’m going to show you the methods to prevent this style of attack by disabling toast notification in Microsoft Edge (Note: your church should only have one approved browser that staff are allowed to use, and given that Edge and Chrome share the same underlying code derived from Chromium, I personally stick with Edge as the approved browser, but you can and should also disable them on other browsers too).
Method 1: Disable Notifications in the Edge Settings Menu
First up, the easy-peasy way to stop those notices for a single computer is through the Edge settings menu. Open Edge, click the three dots (yeah, the three little ones in the upper right next to your profile and the Bing button), then hit “Settings.” Scroll down, find “Site permissions,” then “Notifications.” VoilĂ ! Toggle off “Ask before sending,” and sites won’t be able to ask to send you notifications.
Now, if you’d like to take the shortcut to the notifications, you can use this link when browsing this page via Microsoft Edge: Edge Notification Settings
Method 2: Disable Notifications in Edge via Intune (MEM)
If you have more than one computer and are in a church setting then you’ll want to turn off notifications via Intune: head over to Intune (Microsoft Endpoint Manager) from within the Microsoft 365 Administrator portal, find “Device configuration,” and create a new profile. Select “Windows 10 and later,” then “Settings catalog,” name your policy something like “Edge – Disable Website Notifications,” then search for “Default notification setting (Device),” add it, enable it, and select “Don’t allow any site to show desktop notifications,” then apply the policy to the groups you want to apply it to (usually all devices).That’s it, now none of the users can subscribe to website notifications.
If you want to take a shortcut to the Intune portal, you can follow this link: MEM Configuration Profiles
Method 3: Disable Notifications via GPO
If your church is still using old-school Active Directory then you can disable the notifications via GPO. The first thing you will need is the administrative template from Microsoft which can be downloaded and installed here. Now, open Group Policy Management Console, locate “Computer Configuration,” then “Administrative Templates,” then “Microsoft Edge,” and “Content settings.” Enable “Default notification setting” and set it to “Do not allow any site to show desktop notifications.”
Final Thoughts on Preventing Fake Virus Notifications
Unfortunately, sometimes the innocent features that are added to software gets used by hackers to exploit users. This means that you have to stay vigilant and disable the features they begin to exploit. By turning off site notifications you remove the potential for panic clicking of exploit links on Windows desktops.
As a bonus, you’ll also be removing a regular distraction as site notification popups can make it hard to consistently focus on a task.