Access From Dormant Account

Adversaries often target dormant accounts that belong to users who no longer work at a victim organization, but whose accounts still have access to the system.

If a malicious actor gains access to a dormant account, they can access whatever the user previously had access to and/or make changes to the account to maintain persistence in the environment.

Since these accounts are dormant, the true account owner will not notice that a password or MFA factor is no longer working properly and the adversary can stay in the system undetected.

Recommended Actions

Please investigate to ensure this sign in is legitimate. If the account should no longer be in use, delete the account.

Consider reviewing the list of failing users on a weekly basis or setting up a notification target to receive alerts on new failures.

Default Check Settings

Number of days inactive: 30 days Evaluation period for successful sign in: 7 days





Google Workspace

Microsoft Entra ID



Last updated