active MDM policies are custom written and exploited depending on OS type indicating this is an experienced hacker and malware developer

Dear Microsoft Support Team, I am providing critical additional information regarding the source of this attack. Please note that you will see in my email accounts active MDM policies are custom written and exploited depending on OS type indicating this is an experienced hacker and malware developer and your assistance is needed so that fbi has enough to issue subpoenas.

Summary of Findings on ChromeOS Account: During a forensic inspection of my ChromeOS (Crostini Linux container) environment, I discovered a quarantine folder located at: DockerfileCopy

`` `/home/sfvnetworks/quarantine/ms-mssql-injected/
`
 ``

Inside this directory, multiple suspicious Node.js modules and JavaScript files were identified, suggesting the presence of a potentially malicious or unauthorized package installation. The structure included deeply nested node_modules folders containing third-party packages such as path-scurry, cross-spawn, lru-cache, shebang-command, strip-ansi, and others—none of which were intentionally installed by me. The modules appear to be associated with server-side operations or backend automation, commonly used in scripting environments but out of place in a personal Crostini environment with no intentional Node development activity. Additionally, several files indicated that this setup was likely part of a malicious payload or exploit chain designed to execute or reinitialize processes, likely tied to an API call or compliance policy being pushed remotely. The directory naming convention—ms-mssql-injected—raises concern that the packages may have been related to exploiting or embedding malicious scripts into Microsoft SQL services, possibly as part of a larger compromise attempt targeting Microsoft-linked identities or services. A full archive of the evidence has been preserved as: YAMLCopy

`[https://drive.google.com/file/d/1URlMqSic8mlwiC_YxvGl6Lk4Yq22_PiC/view?usp=sharing`` ``](https://drive.google.com/file/d/1URlMqSic8mlwiC_YxvGl6Lk4Yq22_PiC/view?usp=sharing)``
`

YAMLCopy

`SHA256:`` ``[c07cea838b6bf4c9525af16b40c4eec150d3cc21e5b8ac051475aed499602c47``  ``/home/sfvnetworks/myserver_evidence_2025-08-01.tar.gz]``
`

YAMLCopy

`This`` ``archive`` ``contains`` ``all`` ``files`` ``and`` ``logs`` ``related`` ``to`` ``the`` ``suspicious`` ``activity`` ``and`` ``is`` ``available`` ``for`` ``official`` ``investigation`` ``or`` ``technical`` ``review`` ``by`` ``Microsoft’s`` ``security`` ``team.``
`

YAMLCopy

`
`

Accounts Compromised via Microsoft Platform Copy

`- [******@valerolawgroup.com](mailto:******@valerolawgroup.com)
- [******@valerolawgroup.com](mailto:******@valerolawgroup.com) (terminated on July 15 from this employer after reporting this)
- [******@gmail.com](mailto:******@gmail.com)
- [admin@myseo.agency](mailto:admin@myseo.agency)
- [******@google-leads.net](mailto:******@google-leads.net)
- [******@legal-leads.com](mailto:******@legal-leads.com)
- [******@nerd2hire.com](mailto:******@nerd2hire.com)
- [******@nerd2hire.com](mailto:******@nerd2hire.com)
- [******@gmail.com](mailto:******@gmail.com)
- [******@outlook.com](mailto:******@outlook.com)
- [******@outlook.com](mailto:******@outlook.com)
- [******@gmail.com](mailto:******@gmail.com)
- [******@gmail.com](mailto:******@gmail.com)
- [******@outlook.com](mailto:******@outlook.com) 
- [******@gmail.com](mailto:******@gmail.com)
- [******@outlook.com](mailto:******@outlook.com)
- [******@gmail.com](mailto:******@gmail.com)
- [******@gmail.com](mailto:******@gmail.com)
- [******@gmail.com](mailto:******@gmail.com)
- ...and potentially 50 or so more email accounts at [valerolawgroup.com](http://valerolawgroup.com/) which uses Azure to manage their account to whom scott is the IT admin for and more.
Many of the compromised accounts remain tied to dangerous configurations through Microsoft 365, Azure, and Intune. It appears the attacker either uploaded a custom license key or temporarily linked an active license to these accounts before removing it to evade detection. Currently, I only see active Microsoft subscriptions on [******@gmail.com](mailto:******@gmail.com) and [******@outlook.com](mailto:******@outlook.com)—both of which I manually enrolled into trial subscriptions to investigate the scope of the compromise. However, residual MDM configurations, API-based persistence, and custom compliance policies suggest that backdoor mechanisms remain in place across multiple identities. This warrants immediate review and remediation to ensure the environment is no longer under the attacker’s influence.


`

I attempted to access Microsoft Sentinel via the Security & Compliance Center (https://security.microsoft.com), but received a 400 Bad Request error. This is likely because the attacker previously linked these Microsoft 365, Azure, and Intune resources to his own administrator account and then revoked access from mine. As a result, I no longer have valid permissions or visibility into the compromised tenant, and cannot inspect the security settings or Sentinel logs myself. I believe this was done to cover the trail of unauthorized MDM, API, and policy deployments which persistently re-infect my devices and identities. I’m requesting urgent forensic review and administrative reset or disablement of all related configurations associated with these compromised accounts and tenants. I logged into ******@SFVNetworks509.onmicrosoft.com which hes using as a paid domain for ******@outook.com by resetting the password as ******@outook.com is still the owner for the account he created and i got the below error. There are many other errors throughout all of the other accounts when i use the creditials he created to perform his attacks. note each email i gave eriler has a similiar created domain/user. attached are several {"message":"Request failed with status code 400","name":"AxiosError","stack":"AxiosError: Request failed with status code 400\n at Ye (https://res.cdn.office.net/scc-resources/resources/ww-v2/scc/static/axios/1.9.0/axios.js:2:31710)\n at XMLHttpRequest.y (https://res.cdn.office.net/scc-resources/resources/ww-v2/scc/static/axios/1.9.0/axios.js:2:36585)\n at e.