I'm maybe naive in assuming that there is some kind of investigation going on that isn't playing out in public, but I would assume that years of emails going through Microsoft servers might make the identities of the cohorts in this attack difficult to hide?

When making sockpuppet email accounts use a plausible birth year as your numeric extension.