Threat Actors may add additional roles or permissions to Threat Actors-controlled cloud account to maintain persistent access to a tenant. For example, Threat Actors may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.