Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft Entra ID hardens browser sign-ins with stricter Content Security Policy

Security Tool/Service
First reported
Last updated
Happening score
H score 26
2 unique sources, 2 articles

Summary

Hide ▲

Microsoft is tightening Entra ID browser sign-ins with a stronger Content Security Policy, reducing the risk of script injection and XSS-style credential theft during authentication. The change rolls out in mid-to-late October 2026 and applies only to browser-based logins at login.microsoftonline.com. It will allow scripts only from Microsoft-trusted domains and will not affect Microsoft Entra External ID. Organizations that rely on code-injection tools in sign-in pages will need to test and remove those dependencies before rollout.

Related Happenings

Microsoft AiTM payroll pirate attack mitigation

Advisory/Mitigation
First: 10.04.2026 14:56 Last: 10.04.2026 14:56 Sources 1

About this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...

Open Happening

Phishing-resistant authentication to block post-breach credential abuse and relay attacks

Defensive Guidance
First: 09.04.2026 17:02 Last: 09.04.2026 17:02 Sources 1

About this happening: **Phishing-resistant authentication** is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel **credential stuffing**, **AiTM...

Open Happening

Microsoft Windows 11 KB5079473 Microsoft account sign-in disruption

Service Disruption
First: 20.03.2026 09:33 Last: 20.03.2026 09:33 Sources 1

About this happening: **Microsoft**'s **Windows 11 KB5079473** update is disrupting **Microsoft account sign-ins** across multiple apps, creating false **no-internet** errors and blocking normal access...

Latest development: 23.03.2026 10:04

Microsoft started rolling out the KB5085516 optional out-of-band update to fix the Microsoft account sign-in bug that appears after KB5079473 on Windows 11 25H2 and 24H2. The update addresses the false no-internet sign-in failure affecting Microsoft Teams, OneDrive, Microsoft Edge, Microsoft 365 Copilot, Excel, and Word, and it is available through Windows Update or the Microsoft Update Catalog.

Open Happening

Microsoft Entra passkeys on Windows add phishing-resistant sign-in in public preview

Security Tool/Service
First: 10.03.2026 17:27 Last: 10.03.2026 17:27 Sources 1

About this happening: **Microsoft Entra** is adding **passkey support on Windows devices**, bringing **phishing-resistant passwordless authentication** via **Windows Hello**. The rollout reaches **publ...

Open Happening

Bitwarden adds passkey login for Windows 11 sign-in

Security Tool/Service
First: 05.03.2026 00:34 Last: 05.03.2026 00:34 Sources 1

About this happening: **Bitwarden** added **passkey login** for **Windows 11**, expanding passwordless sign-in and reducing phishing exposure for users who store credentials in the vault.

Open Happening

Timeline

  1. 26.11.2025 15:26 2 articles · 6mo ago

    Microsoft plans Entra ID sign-in Content Security Policy hardening

    Initial Disclosure

    Microsoft plans to enhance Entra ID browser-based sign-ins with a strengthened Content Security Policy that will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during authentication. The change is scoped to URLs beginning with login.microsoftonline.com, does not affect Microsoft Entra External ID, and is intended to reduce external script injection and XSS-style credential theft risks; enterprise customers are advised to test sign-in scenarios and stop using browser extensions or tools that inject code or scripts into sign-in pages before the October 2026 rollout window.

    Show sources
    Open in new tab