# Inactive Account Probing

Identifies users who experience a sudden surge in failed login attempts after an extended period of inactivity, which could indicate a potential account takeover attempt.

A user will fail this check if they have been inactive for 30 or more days and encounter at least 2 account probing attempt(s).

#### **Recommended Actions**

Check if the username was in any known data breaches. Prioritize investigating and remediating users without MFA enabled on their accounts, as they are at the highest risk. If an attacker successfully guesses or obtains their password, they can gain access without needing a second form of authentication.

To remediate, start by initiating an access review with the user’s manager to confirm whether the dormant account is still needed. If the probed account is no longer required, deprovision it at the identity source. If the account is still needed (ex: user on leave), disable it at the identity source.

If the probed account is no longer required, deprovision it at the identity source. If the account is still needed (ex: user on leave), disable sign-in's at the identity source.

Otherwise, continue monitoring the account for activity and suspend it after a grace period if inactivity persists. Investigate the source(s) of failed login attempts and update geo-blocking rules if needed.

#### **Default Check Settings**

Number of days: 30

Account probing threshold: 2

#### **Compatibility**

[Microsoft Entra ID](/integrations/azure-active-directory-integration.md)

[Okta](/integrations/okta-data-integration.md)

[Google Workspace](/integrations/google-workspace-integration.md)

<figure><img src="/files/vKgocu2ISJ8qMsfiMHr2" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-posture-management-insights/inactive-account-probing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.