Insider Threat Matrix™Insider Threat Matrix™
  • ID: IF039
  • Created: 07th July 2026
  • Updated: 07th July 2026
  • MITRE ATT&CK®: T1078T1078.001T1078.002T1078.003T1078.004
  • Contributor: The ITM Team

Unauthorized Account Access

Unauthorized Account Access occurs when a subject accesses, authenticates to, or uses an account they are not permitted to access. This includes accounts assigned to another person, accounts retained after the subject’s authorization has ended, accounts outside the subject’s approved role or duties, or accounts accessed through credentials obtained without legitimate approval.

 

This behavior may involve the use of passwords, authentication tokens, session cookies, multi-factor authentication approvals, SSH keys, API keys, service credentials, or other identity-bound access mechanisms. The account may belong to a colleague, manager, administrator, service account, contractor, former role, shared operational identity, or other identity not authorized for the subject’s use.

 

Unauthorized Account Access undermines identity assurance, access governance, and investigative attribution. Activity performed under the accessed account may appear to originate from the authorized account holder or from a legitimate organizational identity, creating ambiguity around responsibility and weakening the evidentiary value of account-based logs. The behavior may enable data access, privilege misuse, unauthorized changes, financial activity, administrative action, exfiltration, sabotage, or other infringements.

 

This infringement is not defined by how the subject obtained the means of access. Credentials may have been discovered in a file, ticket, message, password manager, source code repository, browser store, shared document, or physical note; obtained through observation, coercion, social engineering, brute force, or informal disclosure; or retained due to incomplete offboarding, role change, or access revocation. The defining behavior is that the subject uses an account or identity mechanism outside the scope of their authorization.

Subsections (5)

ID Name Description
IF039.002Access to a Retained Former Account

A subject accesses or uses an account that was previously issued to them by the organization but is no longer authorized for their use. This may occur after employment has ended, a contract has expired, a role has changed, a project has concluded, or access has otherwise ceased to be permitted.

 

This behavior may involve the subject using retained credentials, active sessions, multi-factor authentication enrollment, recovery options, device trust, federated access, cached authentication material, or connected service access after authorization has ended. The defining behavior is that the subject continues to access an account that they were once permitted to use but are no longer authorized to access.

IF039.005Illicit Access to a Dormant or Orphaned Account

A subject accesses or uses an account that is inactive, abandoned, ownerless, misassigned, or no longer clearly linked to an authorized individual or business function. This may include accounts belonging to former personnel, legacy applications, inactive contractors, deprecated systems, unmanaged test identities, or accounts that remain active despite no current operational owner.

 

This behavior may involve the subject independently identifying and using an account that still authenticates but is no longer actively managed, monitored, or assigned for legitimate operational use. The defining behavior is that the subject uses an account whose continued availability does not represent authorization for the subject to access it.

IF039.004Illicit Access to a Privileged Account

A subject accesses or uses a privileged, administrative, or elevated account without being assigned, delegated, approved, or authorized to use that account. This may include domain administrator accounts, local administrator accounts, cloud administrator roles, database administrator accounts, security tool administrator accounts, root accounts, break-glass accounts, or other identities with elevated system or data access.

 

This behavior may involve the subject independently obtaining or using privileged credentials, administrative tokens, active sessions, SSH keys, emergency access material, privileged access management credentials, or other elevated authentication mechanisms. The defining behavior is that the subject performs activity through a privileged account that has not been authorized for their use.

IF039.003Illicit Access to a Service Account

A subject accesses or uses a service account, automation account, application identity, deployment account, or other non-personal account without being assigned, delegated, approved, or operationally authorized to use it. These accounts are typically created for system, application, administrative, automation, or integration functions rather than direct individual use.

 

This behavior may involve the subject independently obtaining or using credentials, keys, tokens, secrets, certificates, stored authentication material, or configuration artifacts associated with the service account. The defining behavior is that the subject uses a non-personal account outside the scope of any approved role, workflow, or administrative process.

IF039.001Illicit Access to Another Person’s Account

A subject accesses or uses an account assigned to another individual without being provided, delegated, shared, or approved access to that account. The account may belong to a colleague, manager, administrator, contractor, service desk analyst, executive, or other member of the organization’s population.

 

This behavior may involve the subject independently obtaining or using another person’s password, session token, multi-factor authentication approval, recovery mechanism, device session, browser session, SSH key, API token, or other identity-bound access mechanism. The defining behavior is that the subject performs activity through another person’s account where the account holder has not knowingly provided or authorized the subject’s use.