And lets not forget ...
That whoever does hijack a domain like this can also get an SSL cert for it - all that's required for that is to be able to place a file in the site for the cert validator to check to "prove ownership" of the domain. So :
subdomain of microsoft,com - tick
has SSL cert (padlock icon in address bar) - tick
What could possibly go wrong !
TBH, having managed DNS before (but definitely not on such a grand scale), it's a PITA. When a business (customer in our case) wants something there an obvious trigger - register domain for customer, setup DNS. When that need goes away, no-one can be ar*ed telling you about it - so you need to run frequent checks so you can infer when a domain (or subdomain in this case) is no longer needed, and either nuke it, or invoke procedures to check and then nuke it.