CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft to Strengthen Entra ID Sign-Ins Against Script Injection Attacks

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties. Microsoft plans to introduce smartphone-style app permission prompts in Windows 11 to request user consent before apps can access sensitive resources such as files, cameras, and microphones. The "Windows Baseline Security Mode" and "User Transparency and Consent" changes will prompt for permission when apps try to install unwanted software or access sensitive resources, allowing users to change their choices at any time. Baseline Security Mode will enable runtime integrity safeguards by default, ensuring that only properly signed apps, services, and drivers can run, but allowing users and IT administrators to override these safeguards for specific apps when needed.

Timeline

  1. 10.02.2026 15:16 1 articles · 23h ago

    Microsoft to Introduce Smartphone-Style App Permission Prompts in Windows 11

    Microsoft plans to introduce smartphone-style app permission prompts in Windows 11 to request user consent before apps can access sensitive resources such as files, cameras, and microphones. The "Windows Baseline Security Mode" and "User Transparency and Consent" changes will prompt for permission when apps try to install unwanted software or access sensitive resources, allowing users to change their choices at any time. Baseline Security Mode will enable runtime integrity safeguards by default, ensuring that only properly signed apps, services, and drivers can run, but allowing users and IT administrators to override these safeguards for specific apps when needed. The changes will roll out as part of a phased approach developed in close partnership with developers, enterprises, and ecosystem partners, with Microsoft planning to adjust the rollout and the controls based on feedback.

    Show sources
    Open in new tab
  2. 26.11.2025 15:26 4 articles · 2mo ago

    Microsoft to Implement Strengthened Content Security Policy for Entra ID Sign-Ins

    Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft Teams Adds Call Reporting Feature for Suspicious Activity

Microsoft is introducing a "Report a Call" feature in Teams by mid-March, allowing users to flag suspicious or unwanted calls. The feature will be enabled by default and will share limited metadata with organizations and Microsoft. This update aims to provide organizations with visibility into potential scams or phishing attempts. The feature will roll out to Targeted Release customers in mid-March and reach general availability worldwide by late April.

Open in new tab

Microsoft Enforces MFA for Microsoft 365 Admin Center Access

Microsoft will enforce multi-factor authentication (MFA) for all users accessing the Microsoft 365 admin center starting February 9, 2026. This move aims to enhance security by preventing unauthorized access and protecting sensitive data. The enforcement follows a gradual rollout that began in February 2025. Admins without MFA enabled will be blocked from signing in, potentially disrupting IT operations. Microsoft urges immediate action to avoid access issues and provides guidance for configuring MFA through its setup wizard or official documentation.

Open in new tab

DarkSpectre Campaigns Target 8.8 Million Users with Malicious Browser Extensions

A Chinese threat actor, DarkSpectre, has been linked to three malicious browser extension campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—which have collectively impacted 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over seven years. The campaigns facilitate data theft, search query hijacking, affiliate fraud, and corporate espionage by exfiltrating meeting-related data from video conferencing platforms. Additionally, five new malicious Chrome extensions impersonating HR and ERP platforms have been discovered, targeting Workday, NetSuite, and SAP SuccessFactors to hijack accounts. These extensions steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. The extensions, some of which were recently taken down, used delayed activation and benign updates to evade detection and build trust before deploying malicious functionality. The extensions were designed to look polished and professional, with some claiming to contain security features to prevent account compromise. They engaged in a range of actions to take control of accounts, including extracting authentication cookies and uploading them to a command and control (C2) server every 60 seconds. The extensions prevented passwords from being changed to help ensure stolen access tokens remained valid indefinitely and prevented security teams from locking out compromised accounts during remediation. Administrators attempting to disable an affected user's account encountered a blank page and redirect loop. Socket recommended that organizations implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions and monitor for extensions targeting the same enterprise platforms with similar permission requests.

Open in new tab

Microsoft Teams to integrate external user blocking via Defender for Office 365

Microsoft will introduce a new feature in Microsoft Teams that allows security administrators to block external users from sending messages, calls, or meeting invitations to their organization's members. This feature will be integrated with Defender for Office 365, enabling centralized management of blocked external contacts through the Tenant Allow/Block List in the Microsoft Defender portal. The rollout begins in early January 2026 and is expected to complete by mid-January 2026. The feature aims to enhance security and compliance by preventing cybercrime gangs, including ransomware groups, from exploiting Teams for social engineering attacks. Additionally, Teams will warn admins about suspicious traffic from external domains and automatically strengthen messaging security by default.

Open in new tab

Microsoft Teams Enables Default Messaging Safety Features

Microsoft Teams will automatically enable key messaging safety features by default starting January 12, 2026. This update includes weaponizable file type protection, malicious URL detection, and a system for reporting false positives. The change aims to strengthen defenses against malicious content and is part of Microsoft's response to increased cybersecurity risks. Organizations that have previously customized these settings will not be affected. Administrators are advised to review and adjust their configurations before the deadline to prevent automatic activation.

Open in new tab