CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft to Strengthen Entra ID Sign-Ins Against Script Injection Attacks

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties.

Timeline

  1. 26.11.2025 15:26 3 articles · 16d ago

    Microsoft to Implement Strengthened Content Security Policy for Entra ID Sign-Ins

    Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 183 flaws

Microsoft's October 2025 Patch Tuesday marks the end of free security updates for Windows 10, with the release of the final cumulative update KB5066791. This update addresses 183 vulnerabilities, including six zero-day flaws, and is mandatory for all Windows 10 users. Extended Security Updates (ESU) are available for purchase for up to three years for enterprise users and one year for consumers. The patches cover a range of vulnerabilities, including critical remote code execution and elevation of privilege issues. The zero-day vulnerabilities affect various components, such as Windows SMB Server, Microsoft SQL Server, Windows Agere Modem Driver, Windows Remote Access Connection Manager, AMD EPYC processors, and TCG TPM 2.0. Some of these flaws have been publicly disclosed or actively exploited. The update also includes fixes for vulnerabilities in third-party components, such as IGEL OS and AMD EPYC processors. Additionally, Microsoft Office users should be aware of CVE-2025-59227 and CVE-2025-59234, which exploit the Preview Pane. The update is the largest on record for Microsoft, with 183 CVEs, pushing the number of unique vulnerabilities released so far this year to more than 1,021. The update includes fixes for a wide range of vulnerabilities, including remote code execution (RCE), elevation of privilege, data theft, denial of service (DoS), and security feature bypass issues. The update also marks the end of life for Windows 10, meaning Microsoft will no longer issue regular patches for vulnerabilities in the operating system as part of its regular Patch Tuesday updates. Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are also reaching end-of-life. Windows 10 users can opt for Extended Security Updates (ESU) for one year at a cost of $30, or install Linux as an alternative. Linux Mint is recommended for Windows 10 users transitioning to Linux, with compatibility for most computers from the last decade. The October 2025 Windows security updates cause smart card authentication and certificate issues across all Windows 10, Windows 11, and Windows Server releases. The issue is due to a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services. Affected users may experience various symptoms, including the inability to sign documents, failures in applications using certificate-based authentication, and smart cards not being recognized as CSP providers in 32-bit apps. The issue can be detected by the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update. The fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation. Users experiencing authentication problems can manually resolve the issue by disabling the DisableCapiOverrideForRSA registry key. The DisableCapiOverrideForRSA registry key will be removed in April 2026, and users are advised to work with their application vendors to resolve the underlying problem. Microsoft also fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates. Microsoft has released out-of-band (OOB) security updates for a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. Microsoft has released security updates for all impacted Windows Server versions, including Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012. Workarounds for admins who can't immediately install these emergency patches include disabling the WSUS Server Role or blocking all inbound traffic to Ports 8530 and 8531 on the host firewall. The OOB update supersedes all previous updates for affected versions, and users are advised to install it as soon as possible. A new Windows zero-day vulnerability allows attackers to crash the Remote Access Connection Manager (RasMan) service. The RasMan service is a critical Windows system service that runs with SYSTEM-level privileges. The zero-day flaw is a denial-of-service (DoS) vulnerability that affects all Windows versions, including Windows 7 through Windows 11 and Windows Server 2008 R2 through Server 2025. The flaw allows unprivileged users to crash the RasMan service due to a coding error in how it processes circular linked lists. ACROS Security provides free, unofficial security patches for this Windows RasMan zero-day via its 0patch micropatching service. The micropatch can be installed by creating an account and installing the 0Patch agent, which applies the patch automatically without requiring a restart.

Open in new tab

Increased Scanning for PAN-OS GlobalProtect Vulnerability

SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

Open in new tab

Critical Azure Entra ID Vulnerability Exposes Cross-Tenant Access Risks

A critical elevation of privilege (EoP) vulnerability in Azure Entra ID (formerly Azure Active Directory) could have allowed unauthorized access to virtually any Entra ID tenant. The flaw, tracked as CVE-2025-55241, stems from an authentication failure in the Azure AD Graph API, enabling the creation of impersonation tokens for cross-tenant access. The vulnerability was discovered in July 2025 and addressed over the summer, with no evidence of exploitation in the wild. The flaw highlights significant security gaps in Azure's authentication stack, particularly around undocumented 'Actor' tokens used for backend service-to-service communications. These tokens lack essential security controls, such as revocation capabilities, conditional access policies, and visibility, making them highly dangerous. The Azure AD Graph API, despite being scheduled for deprecation, is still used by many Microsoft applications, underscoring the broader implications of this vulnerability. The flaw was reported to Microsoft on July 14, 2025, and the company confirmed that the problem was resolved nine days later. The vulnerability has been assigned the maximum CVSS score of 10.0. It allowed impersonation of any user, including Global Administrators, across any tenant. The flaw could bypass multi-factor authentication (MFA), Conditional Access, and logging, leaving no trace. The flaw was addressed by Microsoft as of July 17, 2025, requiring no customer action. The Azure AD Graph API has been officially deprecated and retired as of August 31, 2025.

Open in new tab