Insider Threat Matrix™Insider Threat Matrix™
  • ID: IF039.005
  • Created: 07th July 2026
  • Updated: 07th July 2026
  • MITRE ATT&CK®: T1078T1078.001T1078.002T1078.003T1078.004
  • Contributor: The ITM Team

Illicit Access to a Dormant or Orphaned Account

A subject accesses or uses an account that is inactive, abandoned, ownerless, misassigned, or no longer clearly linked to an authorized individual or business function. This may include accounts belonging to former personnel, legacy applications, inactive contractors, deprecated systems, unmanaged test identities, or accounts that remain active despite no current operational owner.

 

This behavior may involve the subject independently identifying and using an account that still authenticates but is no longer actively managed, monitored, or assigned for legitimate operational use. The defining behavior is that the subject uses an account whose continued availability does not represent authorization for the subject to access it.