Re: Too early to say it is not, at least partially, an inside job
After MS failed and somehow allowed a signing key for mail of high up government officials to be captured, Microsoft reported is was unclear how the threat actor discovered they could take advantage of the issue to forge tokens that worked for both consumer and enterprise accounts but Microsoft speculates they learned of the capability through trial and error. Probably after stealing a consumer key from an engineers notebook.
However, almost 10 months after Microsoft started the investigation, the U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) stated there wasn’t any definitive evidence on how the threat actor obtained the signing key, regardless of what Microsoft previously claimed.
Binary can only report to the depth that their allotted budget allows, and they may or may not be under some pressure to lean a certain way - the aerospace company would probably prefer a simple story offering full closure with nothing dangling. The report is certainly bound to be informative - not necessarily the final word or whole truth.