This technique is an extension of the MITRE ATT&CK matrix and represents an attacker abusing permissive third-party identities.

An example of this technique include attackers being able to invite additional identities as guests into a compromised cloud estate for persistence. These identities could take the form of a third party account such as a Gmail account. If invited guests are automatically added to any groups, and these groups are overly permissive, they could allow for privilege escalation. Attackers being able to invite users or register applications from a different tenant into their own could lead to trouble for the invite tenant. If users accidently log into an attacker owned tenant or attackers run applications in their tenant, they could in theory have more control over how the identities behave while in their tenant.

Mitigations: Ensure that permissions granted to the third party are not overly permissive. Efforts should be made to ensure that the invitation and trust mechanisms provided by the cloud service provider are also set up correctly and are not themselves, also, overly permissive.