- Compromise a privileged account within the victim tenant (e.g., Global Administrator or Security Administrator).
- Establish inbound synchronization from an attacker-controlled tenant to the victim tenant.
- Provision malicious accounts within the victim tenant as needed.
- Maintain persistence and potentially move laterally across connected tenants.