Once a subscription is created, the guest user gains “Owner” rights over it. According to BeyondTrust, this elevated privilege enables them to deploy resources, assign roles, and potentially escalate their access, posing a significant threat to the tenant’s security posture.
The ability to create and control subscriptions potentially allows malicious actors to maintain persistence within the environment. They can leverage this position to move laterally, access sensitive data, or disrupt services.
To defend against this attack vector BeyondTrust recommended a number of actions on top of leveraging the optional Microsoft control to block the transfer of subscriptions. These actions include auditing all guest accounts, hardening guest controls, monitoring all subscriptions, and auditing device access.
