Insider Threat Matrix™Insider Threat Matrix™
  • ID: IF039.002
  • Created: 07th July 2026
  • Updated: 07th July 2026
  • MITRE ATT&CK®: T1078T1078.001T1078.002T1078.003T1078.004
  • Contributor: The ITM Team

Access to a Retained Former Account

A subject accesses or uses an account that was previously issued to them by the organization but is no longer authorized for their use. This may occur after employment has ended, a contract has expired, a role has changed, a project has concluded, or access has otherwise ceased to be permitted.

 

This behavior may involve the subject using retained credentials, active sessions, multi-factor authentication enrollment, recovery options, device trust, federated access, cached authentication material, or connected service access after authorization has ended. The defining behavior is that the subject continues to access an account that they were once permitted to use but are no longer authorized to access.