# Access From Dormant Account \ Detects Priority Accounts who have successfully signed in via one or more integration instances in the last 30 days \[default setting] despite not having a successful sign in across all integration instances in the last 1 day(s) \[default setting].\ New accounts that were created in the last 7 days \[default] will not be evaluated against this check. Accounts from newly configured integration instances will also not be evaluated against this check for 7 days. Adversaries often target dormant accounts that belong to users who no longer work at a victim organization, but whose accounts still have access to the system. If a malicious actor gains access to a dormant account, they can access whatever the user previously had access to and/or make changes to the account to maintain persistence in the environment. Since these accounts are dormant, the true account owner will not notice that a password or MFA factor is no longer working properly and the adversary can stay in the system undetected. **Recommended Actions** Please investigate to ensure this sign in is legitimate. If the account should no longer be in use, delete the account. Consider reviewing the list of failing users on a weekly basis or setting up a notification target to receive alerts on new failures. **Default Check Settings** Number of days inactive: 30 days\ Evaluation period for successful sign in: 1 days **Compatibility** [AWS](/integrations/aws.md) [Duo](/integrations/duo-security-integration.md) [Github](/integrations/github.md) [Google Workspace](/integrations/google-workspace-integration.md) [Microsoft Entra ID](/integrations/azure-active-directory-integration.md) [Okta](/integrations/okta-data-integration.md) [Salesforce](/integrations/salesforce-integration.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/access-from-dormant-account.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.