Enlarge (credit: Getty Images)

Microsoft said the corporate account of one of its engineers was hacked by a highly skilled threat actor that acquired a signing key used to hack dozens of Azure and Exchange accounts belonging to high-profile users.

The disclosure solves two mysteries at the center of a disclosure Microsoft made in July . The company said that hackers tracked as Storm-0558 had been inside its corporate network for more than a month and had gained access to Azure and Exchange accounts, several of which were later identified as belonging to the US Departments of State and Commerce. Storm-0558 pulled off the feat by obtaining an expired Microsoft account consumer signing key and using it to forge tokens for Microsoft’s supposedly fortified Azure AD cloud service.

The disclosure left two of the most important questions unanswered. Specifically, how was a credential as sensitive as the consumer signing key stolen from Microsoft’s network, and how could it sign tokens for Azure, which is built on an entirely different infrastructure?

Apple and Microsoft have argued with Brussels that some of their services are insufficiently popular to be designated as “gatekeepers” under new landmark EU legislation designed to curb the power of Big Tech.

Brussels’ battle with the two US companies over Apple’s iMessage chat app and Microsoft’s Bing search engine comes ahead of Wednesday’s publication of the first list of services to be regulated by the Digital Markets Act.

The legislation imposes new responsibilities on tech companies, including sharing data, linking to competitors, and making their services interoperable with rival apps.

Enlarge / If this kind of thing raises your eyebrows, there's a whole lot more inside a ribbon bar for you. (credit: Anaconda)

If you’re decent in Python (or aspire to be) but don’t have the chops for advanced data work in Excel, Microsoft now offers the kind of peanut butter-and-chocolate combination that you may consider a gift. At least until it goes behind the paywall.

Microsoft's Stefan Kinnestrand, writing about “the best of both worlds for data analysis and visualization,” writes that this public preview of Python in Excel will allow spreadsheet tinkerers to “manipulate and explore data in Excel using Python plots and libraries and then use Excel's formulas, charts, and PivotTables to further refine your insights.”

Microsoft partnered with Python analytics repository Anaconda to bring libraries like Pandas, Statsmodels, and Matplotlib into Excel. Python in Excel runs on Microsoft’s cloud servers, and the company is touting the security that should offer . Python runs in isolated containers, with no access to devices, your network, or user tokens, Microsoft states. Python and Excel can only really talk to each other through limited functions—xl() and =PY()—that can only return code results, not macros, VBA code, or other data, Microsoft claims.

Enlarge / Ubisoft could be the new home to Activision's streaming catalog under a new proposal from Microsoft. (credit: Ubisoft)

In a major restructuring of its long-proposed acquisition plans for Activision Blizzard , Microsoft has announced that the cloud-streaming rights for current and future Activision titles will be controlled by Ubisoft rather than Microsoft itself. The move is an effort to ameliorate concerns from UK regulators who blocked the proposed acquisition in April over potential impacts on competition in the cloud-gaming space.

The newly proposed deal covers perpetual, worldwide streaming rights for all current Activision games and those released in the next 15 years, according to an announcement from Microsoft Vice Chair President Brad Smith. Ubisoft will have exclusive control of those streaming rights outside of the European Union, allowing the company to make those games available on its own Ubisoft+ service and to license them out to other cloud-gaming providers (including Microsoft itself). In the EU, Microsoft will pay to license those Activision streaming rights back from Ubisoft to satisfy promises made to the European Commission regarding free licensing to competing cloud-gaming providers.

In a statement provided to Ars Technica, Ubisoft said the deal would allow Activision titles to be offered via Ubisoft+ Multi Access on PC, Xbox, and Amazon Luna, as well as via Ubisoft+ Classics on PlayStation . "Today’s deal will give players even more opportunities to access and enjoy some of the biggest brands in gaming," said Chris Early, Ubisoft SVP of Strategic Partnerships and Business Development, in the statement.

Artist interpretation of the creatures talking about your mom on Xbox Live last night. (credit: Aurich Lawson / Thinkstock)

This week, Microsoft is rolling out a newly standardized strike-based system laying out tiered enforcement plans for violations of the existing Xbox Community Standards . The intent, Microsoft says, is to give players "clarity into how their behavior impacts their experience." But the system's time-based "eight strikes and you're out" system and the relative severity of certain sample infractions are already drawing perplexed comments from some corners.

As outlined in a Tuesday post on Xbox Wire , the new strike enforcement program will impose more stringent penalties for successive infractions, a system Microsoft says is modeled after "demerit strikes used in driver’s license systems in many countries." Successive strikes will lead to suspensions from Xbox Live for one day to a maximum of 365 days, according to the following scale:

• 1 strike: 1-day suspension
• 2 strikes: 1-day suspension
• 3 strikes: 3-day suspension
• 4 strikes: 7-day suspension
• 5 strikes: 14-day suspension
• 6 strikes: 21-day suspension
• 7 strikes: 60-day suspension
• 8 strikes: 365-day suspension

A sample "User Journey" outlining how the new strike-based enforcement system can shake out. (credit: Microsoft )

Not all potential infractions are treated equally under this rubric, though; Microsoft notes that the number of strikes per enforcement action can "range in severity based on inappropriate activity" and are "based on the severity of [the user's] actions." While Microsoft hasn't published a complete list of how many strikes are associated with each different type of infraction, a sample "User Journey" graphic in the blog post includes a list of the following "examples of strikes added for each type of action."

Enlarge / Building with Microsoft logo. (credit: Getty Images)

It’s looking more and more likely that a critical zero-day vulnerability that went unfixed for more than a month in Microsoft Exchange was the cause of one of the UK’s biggest hacks ever—the breach of the country’s Electoral Commission, which exposed data for as many as 40 million residents.

Electoral Commission officials disclosed the breach on Tuesday. They said that they discovered the intrusion last October when they found “suspicious activity” on their networks and that “hostile actors had first accessed the systems in August 2021.” That means the attackers were in the network for 14 months before finally being driven out. The Commission waited nine months after that to notify the public.

The compromise gave the attackers access to a host of personal information, including names and addresses of people registered to vote from 2014 to 2022. Spokespeople for the Commission said the number of affected voters could be as high as 40 million. The Commission has not yet said what the cause of the breach or the means of initial entry was.

Enlarge (credit: Getty Images)

A US senator is calling on the Justice Department to hold Microsoft responsible for “negligent cybersecurity practices” that enabled Chinese espionage hackers to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce.

“Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Ron Wyden (D-Ore.) wrote in a letter . It was sent on Thursday to the heads of the Justice Department, Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission.

Bending over backward

Wyden’s remarks echo those of other critics who say Microsoft is withholding key details about a recent hack. In disclosures involving the incident so far, Microsoft has bent over backwards to avoid saying its infrastructure—including the Azure Active Directory , a supposedly fortified part of Microsoft’s cloud offerings that large organizations use to manage single sign-on and multifactor authentication—was breached. The critics have said that details Microsoft has disclosed so far lead to the inescapable conclusion that vulnerabilities in code for Azure AD and other cloud offerings were exploited to pull off the successful hack.

Enlarge (credit: Getty Images)

European Union regulators have opened a formal investigation into claims that Microsoft is unfairly bundling its Teams video conferencing app with its popular Office software as Brussels intensifies its scrutiny of big technology groups.

The European Commission, the executive body of the EU, said on Thursday that it feared Microsoft “may be abusing and defending” its market dominance in productivity software “by restricting competition.”

It was concerned the US tech giant may grant Teams “distribution advantages by not giving customers the choice” over access to the product, the statement said.