Microsoft not only can't cloud, they actually can't. Like not anything at all.
https://media.ccc.de/v/38c3-from-simulation-to-tenant-takeover
From Simulation to Tenant TakeoverThen I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online.
I ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens.
I then tried intercepting client-side requests made by the Security & Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc.