Two distinct Microsoft ecosystem risks are active this week. The Pink Extortion Group is conducting a vishing and MFA fatigue campaign against Microsoft 365 enterprise accounts, with confirmed tactics including voice phishing, MFA push notification flooding, and post-access data exfiltration. Separately, Microsoft has implemented a two-hour auto-update delay for Visual Studio Code extensions in response to a documented pattern of malicious extensions propagating through the Visual Studio Marketplace, a supply chain control with a material gap: extensions from verified publishers including Microsoft, GitHub, and OpenAI bypass the delay entirely.