Most large companies — including Microsoft [1] — have an internal affairs call center where you can anonymously report issues of malfeasance — assuming that's what happened here.
[1] https://www.microsoft.com/en-us/legal/compliance/sbc/report-...