Government Cloud Investigations Analyst - CTJ - TS

Within Fraud & Vetting Operations is Microsoft's global Fraud Operations function responsible for detecting, investigating, and disrupting fraud at scale-combining incident response, threat hunting, and governance to reduce financial harm and protect Microsoft's ecosystem.

We are looking to hire a Government Cloud Investigations Analyst to join our Fraud & Vetting Operations (FVO) team, where you will be responsible for conducting high-impact investigations into fraud, abuse, and security incidents within U.S. Government cloud environments (e.g., Azure Government, GCC, GCC High, DoD).

This role operates in a high-trust, regulated environment, requiring strict adherence to federal compliance frameworks (e.g., CJIS, FedRAMP, DoD SRG) while delivering audit-defensible, evidence-based investigative outcomes that protect government customers, national interests, and Microsoft services.

As a Government Cloud Investigations Analyst, you will operate within a fraud-first, threat-actor-informed model, partnering with engineering, legal, compliance, and government stakeholders to detect, investigate, and remediate sophisticated threats.

At Microsoft, our mission to empower every person and every organization on the planet to achieve more guides how we partner with customers to deliver trusted, impactful solutions. With a growthmindset culture, we innovate responsibly and measure success by shared progress, people, teams, and customers. Join us to do meaningful work that changes the world and helps shape what's next for everyone.

1. Investigations & Analysis

• Conduct deep-dive investigations into:
• Fraud-from-birth tenants, account compromise, abuse of government cloud resources
• Insider risk, misuse of privileged access, and policy violations within regulated environments
• Correlate signals across identity, billing, telemetry, and cross-tenant activity to reconstruct attack timelines and determine root cause
• Differentiate fraud vs. compromise vs. legitimate activity using structured decision frameworks and evidence correlation

2. Incident Response & Escalation

• Own or support Sev-1 / Sev-2 incidents within Government cloud environments
• Execute containment actions:
• Account disablement, service restrictions, tenant isolation, enforcement actions
• Coordinate with:
• Legal, Privacy, Engineering, and Federal engagement teams
• Provide executive-ready risk assessments and case summaries for high-visibility incidents

3. Case Ownership & Operational Excellence

• Manage investigations end-to-end:
• Intake Investigation Containment Documentation Closure
• Ensure SLA adherence (time-to-contain, response timelines, throughput)
• Maintain high-quality, audit-ready documentation aligned to policy and compliance standards
• Serve as final decision authority for investigative disposition in assigned cases

4. Threat Hunting & Proactive Detection

• Identify emerging fraud patterns and adversary modus operandi (MO)
• Partner with threat hunting teams to:
• Surface unknown threats
• Validate detection gaps
• Feed improvements into detection systems
• Contribute to proactive investigation strategies across Gov Cloud workloads

5. Process, Policy & Continuous Improvement

• Develop and refine Standard Operating Procedures (SOPs)
• Improve:
• Investigation quality standards
• Decision frameworks
• Automation opportunities
• Ensure consistent application of:
• Enforcement policies
• Audit defensibility standards
• Cross-team operational discipline

6. Cross-Functional Collaboration

• Work across:
• Engineering (detections, telemetry, automation)
• Legal & Compliance (regulatory alignment, enforcement authority)
• Government stakeholders (data governance, access, escalation)
• Act as a subject matter expert (SME) for fraud investigations within Government cloud environments

7. Other

• Embody our cultureandvalues

Required/Minimum Qualifications

• Bachelor's Degree in Statistics, Mathematics, Computer Science, or related field AND 4+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response
  • OR Master's Degree in Statistics, Mathematics, Computer Science, or related field AND 3+ years experience in software development lifecycle, large-scale computing, threat modeling, cyber security, anomaly detection, Security Operations Center (SOC) detection, threat analytics, security incident and event management (SIEM), information technology (IT), or operations incident response
  • OR Doctorate in Statistics, Mathematics, Computer Science, or related field
  • OR equivalent experience.

Other Requirements

Security Clearance Requirements: Candidates must be able to meet Microsoft, customer and/or government security screening requirements as required for this role. These requirements include, but are not limited to the following specialized security screenings:

• The successful candidate must have an active U.S. Government Top Secret Security Clearance. Ability to meet Microsoft, customer and/or government security screening requirements are required for this role. Failure to maintain or obtain the appropriate clearance and/or customer screening requirements may result in employment action up to and including termination.
• Clearance Verification: This position requires successful verification of the stated security clearance to meet federal government customer requirements. You will be asked to provideclearance verification information prior to an offer of employment.
• Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud background check upon hire/transfer and every two years thereafter.
• Citizenship & Citizenship Verification: This position requires verification of U.S. citizenship due to citizenship-based legal restrictions. Specifically, this position supports United States federal, state, and/or local United States government agency customer and is subject to certain citizenship-based restrictions where required or permitted by applicable law. To meet this legal requirement, citizenship will be verified via a valid passport, or other approved documents, or verified US government Clearance.
• Criminal Justice Information Services: This position requires passing a background check conducted through the CJIS criminal justice information system by authorized local, state, and/or federal agencies.

Preferred Qualifications

• 5+ years of experience in cybersecurity investigation and response domains:
  • Security operations, fraud investigations, incident response, threat hunting, digital forensics, or advanced investigative workflows.
• 5+ years of experience in cloud security and government environments:
  • Azure (including Azure Government), Microsoft 365, identity systems, GCC High, or DoD cloud environments; familiarity with tenant compromise and cloud abuse patterns.
• 5+ years of experience using investigation tooling, logs, and telemetry systems:
  • Signal correlation, hypothesis testing, timeline reconstruction, and evidence-driven analysis across large-scale datasets.
• Knowledge and experience with threat landscape and adversary behavior:
  • Threat actors and fraud methodologies; identity abuse, tenant compromise, and cloud-based attack patterns; government incident response procedures.
• Experience operating within regulated and compliant environments:
  • FedRAMP High, DoD SRG (IL2-IL5/6), NIST 800-53, and CJIS Security Policy; handling sensitive government or law enforcement data with strict access controls, auditability, and least privilege principles.
• Demonstrated core professional competencies:
  • Evidence-based decision making, analytical rigor, and the ability to perform in ambiguous, high-pressure environments; clear written and verbal communication for technical and executive audiences; track record of delivering high-quality investigations, improving detection accuracy, and driving scalable operational practices.

Security Operations Engineering IC4 - The typical base pay range for this role across the U.S. is USD $119,800.00 - $234,700.00 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $160,200.00 - $261,000.00 per year.

Certain roles may be eligible for benefits and other compensation. Find additional benefits and pay information here:
https://careers.microsoft.com/us/en/us-corporate-pay

This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.