AZT507.3 - External Entity Access: Subscription Hijack#
An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.
The "Owner" role is needed to complete the transfer.
A policy can be placed on the subscription to prevent transfers. https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy
The logs for the subscription are transfered with the subscription