CISA has evidence on ongoing APT activity in cloud environments as a result of recent widespread compromises.  They have released details of this activity as well as ways to detect and monitor for it in cloud environments.  See the link below for more details on how to monitor your cloud environments for this type of APT traffic.

https://us-cert.cisa.gov/ncas/current-activity/2021/01/08/cisa-releases-new-alert-post-compromise-threat-activity-microsoft