AZT507.3 - External Entity Access: Subscription Hijack

An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.

Resource

Azure Subscription

Actions

The "Owner" role is needed to complete the transfer.

Examples

Azure Portal

Detections

Detection Details

• A policy can be placed on the subscription to prevent transfers. https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy

• The logs for the subscription are transfered with the subscription

Additional Resources

• https://docs.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription

• https://derkvanderwoude.medium.com/azure-subscription-hijacking-and-cryptomining-86c2ac018983