Oh wow thanks. That's unbelievably stupid on MS part. I thought it was a general rule you never allow customer content to be served on any branded DNS zone (since inevitably it'll be a cesspit of malware). But wait...why the doesn't Google blacklist .windows.net like they would if I ran a customer hosting service under .mycompany.com ?
Looks like it's Azure stuff, not an actual compromise of Microsoft services.