Dormant Office 365 users create hidden access paths for attackers

At a glance

What this is: This analysis shows how dormant Office 365 users become hidden access paths, especially when old accounts retain privileges, lack MFA, and evade normal monitoring.

Why it matters: It matters because stale human identities behave like unmanaged non-human access from an attacker’s perspective, expanding lateral movement options across IAM, IGA, and PAM programmes.

By the numbers:

• 34% of internal accounts were inactive but still enabled across more than 130 enterprises.
• 88% of companies admit they still have stale accounts in 2025.

👉 Read Unosecur's analysis of dormant Office 365 users and identity cleanup

Context

Dormant Office 365 users are enabled identities that no longer have a clear business owner, active user, or routine monitoring path. In practice, they persist because lifecycle cleanup is slower than account creation, and because legacy access patterns outlive the people who originally needed them.

That gap matters for IAM and identity governance because stale human accounts can retain MFA exceptions, inherited group memberships, mail access, and token-based access long after they should have been removed. The result is an identity layer that looks controlled on paper but behaves like a shadow access surface in production.

Key questions

Q: How should security teams handle dormant Office 365 accounts safely?

A: Start by identifying inactivity with sign-in and token telemetry, then validate business exceptions with HR or managers. If the account is no longer needed, disable it, revoke tokens, remove group memberships, and log every action. Dormant accounts should be handled as lifecycle events, not as periodic housekeeping.

Q: Why do stale Office 365 users increase lateral movement risk?

A: Because they often retain valid access, inherited permissions, and mailbox or file sharing paths that were never re-evaluated. If an attacker compromises the account, they can blend in as a trusted identity and move through collaboration systems with less resistance than a fresh login would trigger.

Q: What do IAM teams get wrong about dormant user cleanup?

A: They focus on inactivity instead of access residue. An account can be unused and still dangerous if it keeps admin groups, delegated access, or long-lived tokens. Cleanup has to look at what the identity can still touch, not only whether someone has logged in recently.

Q: Who should own stale-account remediation in an enterprise?

A: IAM or IGA should own the workflow, with HR and business managers supplying validation and security defining the control standard. If ownership is split too widely, accounts survive longer than they should, and attackers get more time to exploit the leftover access.

Technical breakdown

Why dormant Office 365 accounts become high-value access paths

Dormant accounts are dangerous because they often retain valid credentials, linked tokens, and group inheritance even after the user stops being active. In Microsoft 365, that can mean access to Exchange, OneDrive, Teams, and downstream SaaS integrations through a single identity that no one is watching. If MFA was never enforced, or if the account predates current policy, the attacker gets a low-friction foothold that blends in with legitimate tenant activity. The technical problem is not only inactivity. It is the combination of validity, privilege residue, and weak observability.

Practical implication: inventory inactive identities with sign-in and token telemetry before deciding whether they should be disabled, remediated, or formally retained.

How privilege drift turns stale users into lateral movement tools

Privilege drift occurs when an account accumulates permissions over time through nested groups, shared links, delegated roles, and mailbox or drive inheritance. A dormant account can therefore become more dangerous than an actively used low-privilege account because it may carry historical access that was never re-evaluated. Once compromised, that identity can be used to harvest email, files, and collaboration data, then pivot into internal systems or connected services. That is why stale user management belongs in lifecycle governance, not just housekeeping.

Practical implication: review dormant accounts for inherited admin rights, shared resource access, and delegated permissions before any reactivation decision.

Continuous discovery and closed-loop remediation in identity cleanup

Periodic audits miss the attack window because dormant identities can be abused between review cycles. Continuous discovery uses sign-in activity, token activity, directory state, and HR signals to identify accounts that should no longer exist or should be moved into a controlled exception path. Closed-loop remediation goes further by disabling the account, revoking refresh tokens, stripping licences, removing group memberships, and recording evidence for audit. That workflow matters because manual cleanup cannot keep pace with tenant scale.

Practical implication: automate account disablement, token revocation, and evidence logging as one workflow instead of treating them as separate tasks.

Threat narrative

Attacker objective: The attacker wants a quiet, trusted identity that can be used to access communications, data, and internal pathways without triggering obvious detection.

1. entry via a dormant Office 365 user that still has valid credentials or token access and blends into normal tenant activity.
2. escalation through privilege drift, inherited group memberships, and legacy access paths that let the attacker reach mail, files, or collaboration data.
3. impact through mailbox abuse, data collection, internal pivoting, and ransomware support activity enabled by trusted identity reuse.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Dormant human identities now function like unmanaged machine access unless lifecycle controls are continuous. A stale Office 365 account is still a live identity object, and attackers treat it that way. The governance mistake is assuming inactivity equals irrelevance, when the real risk is retained validity, inherited access, and missing ownership. Practitioners should treat dormant users as an identity lifecycle failure, not an admin backlog.

Privileged residue is the real failure mode behind stale account risk. The article points to inactive users, but the deeper issue is access that outlives the business need and accumulates over time. That is why dormant accounts can be more damaging than active accounts with tighter oversight. The practical conclusion is that access scope, not just login status, must be part of cleanup logic.

Continuous discovery is the governance baseline because identity risk changes faster than review cycles. Annual or quarterly cleanup assumes the threat surface is stable long enough to certify. It is not. Tenant scale, token persistence, and delegated access mean dormant identities can remain operational between reviews. Practitioners should move stale account handling into always-on lifecycle governance.

Identity blast radius is the right named concept for this problem. A dormant account becomes dangerous when its inherited permissions, shared links, and mailbox reach create a larger impact surface than the account’s apparent importance suggests. That blast radius is what attackers exploit after entry. Security teams should evaluate cleanup decisions by the downstream access a stale identity can still touch.

IAM, PAM, and lifecycle governance have to converge on the same control object: the account state itself. Disabling access, revoking tokens, stripping licences, and logging evidence are all parts of one control sequence. Splitting those steps across different teams creates delays that attackers can exploit. Practitioners should design a closed-loop identity response path, not a checklist of isolated actions.

From our research:

• 88% of companies admit they still have stale accounts in 2025, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
• For a broader lifecycle lens, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding controls.

What this signals

Dormant Office 365 cleanup is no longer a quarterly hygiene task. It is a lifecycle control problem, and the scale of the issue is already established: 88% of companies admit they still have stale accounts in 2025, according to The State of Secrets in AppSec. Teams that still rely on periodic audits will keep missing the window in which stale identities become usable attack paths.

Identity blast radius: the practical question is not whether an account is active, but how much downstream access it still carries. That is why lifecycle evidence, entitlement history, and token state need to be reviewed together, ideally alongside the control model in NHI Lifecycle Management Guide.

Programmes that already manage secrets, service accounts, and privileged users can reuse the same closed-loop logic for dormant human identities. The difference is the subject, not the discipline. When cleanup is linked to ownership, revocation, and evidence, the organisation gets a repeatable control instead of a one-off purge.

For practitioners

• Build continuous dormant-account discovery Track interactive sign-in activity, token activity, and directory state together so inactive identities surface before attackers use them. Cross-check exceptions with HR, contractors, and break-glass owners before any disablement.
• Remediate stale access as one workflow Disable the account, revoke refresh tokens, remove group memberships, strip licences, and write evidence to your audit trail in the same runbook. Treat the workflow as closed-loop remediation, not separate tickets.
• Review privilege residue before reactivation Validate whether a dormant account still carries nested admin rights, shared mailbox access, or delegated collaboration permissions. A reactivated account should not inherit historical access by default.
• Move stale-user handling into lifecycle governance Set ownership for dormant identities inside IAM or IGA, not as an ad hoc security cleanup task. That keeps offboarding, recertification, and access review aligned with the actual account state.

Key takeaways

• Dormant Office 365 accounts are dangerous because they remain valid identities with retained access, not because they are merely unused.
• The scale is already material, with Varonis reporting 34% inactive accounts in one study and 88% of companies still admitting to stale accounts in 2025.
• Continuous discovery plus closed-loop remediation is the control model that actually reduces attack surface, because it removes both access and identity residue together.

Key terms

• Dormant account: A dormant account is an identity that still exists in the directory but is no longer actively used for normal business activity. It remains a security concern because valid credentials, delegated access, and inherited permissions can persist long after the original user has stopped logging in.
• Privilege drift: Privilege drift is the gradual accumulation of access over time as an identity inherits new groups, roles, shares, or delegated permissions. In practice, it turns stale identities into larger attack surfaces because the account often carries more reach than anyone remembers.
• Closed-loop remediation: Closed-loop remediation is a cleanup process that does not stop at detection. It disables the account, revokes tokens, removes permissions, and records evidence in one controlled workflow so the identity is no longer usable between steps.
• Identity blast radius: Identity blast radius is the amount of downstream access and operational impact an identity can still create if it is compromised or misused. For stale accounts, the blast radius is defined by inherited access, token validity, and connected systems, not by recent login activity.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• The exact cleanup workflow for dormant Office 365 identities, including disablement, token revocation, licence removal, and group membership stripping.
• The practical threshold logic for flagging inactivity, including how teams decide when 90 days is appropriate and when exceptions apply.
• The Office 365 Connector workflow mechanics that automate identity cleanup across tenant-scale directories.
• The article's own framing of how stale users contribute to ransomware exposure and insider threat risk.

👉 The full Unosecur post covers the cleanup workflow, tenant-scale automation, and access-review logic.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.