What is it with these large companies ignoring serious security issues while paying attention to smaller ones? I reported something to Facebook that was a moderate privacy concern and got a bug bounty. A few months later, I discovered that I could make Facebook falsely report the domain that a posted URL goes to, and they denied that it was even a bug. So I could share a URL on mydomain.com, customize the contents of the share posting ("Obama says he's going to nuke Russia"), and Facebook would show users in the post that the link goes to Whitehouse.gov or CNN.com or any other domain I choose.
This still works perfectly.
These companies really need to take a look at the analytical abilities of those they are employing to screen bug reports.
"Brian" probably looked into it, knowing that obscurity != security, but got a response back from the group responsible that was the way they intended it to work, and that group's management wasn't going to do anything about it. "Brian" may have even put messages in the right ear up the management chain such that it would actually effect the outcome.
The fact that the email exchange lasted 2 months before "Brian" said "Sorry, not a case." probably means that "Brian" was trying to make it happen and had actually done an analysis.
* Note: I'm NOT Brian. I've never worked for Microsoft.