Some time after April 2021, Storm-0558 (an APT believed to be based in China) acquired a Microsoft Services Account (MSA) signing key that granted admin access to basically every Microsoft cloud service. This key acquisition went undiscovered until June 2023, and the key was revoked shortly thereafter. It is unclear what Storm-0558 did in these two years, but it included stealing US State Department emails, and they had sufficient access and time to backdoor basically anything they wanted.
This was basically a worst-case scenario for the security of Microsoft services, and it is entirely possible that backdoors installed in the time the stolen key was working are still active today.
Read That Before You Trust Anything by Microsoft Once Again
CISA report
Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog