Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Sign-in Attempt with Disabled Account [RULE-1127]

This rule detects when someone attempts to sign in three or more times using an account that has been disabled by an administrator. The detection includes details about which services were targeted and which disabled accounts were used in the sign-in attempts.

Rationale

When an account is disabled in Microsoft Entra ID, it typically means the user has left the organization, the account has been decommissioned, or it was disabled as part of a security response. A sign-in attempt against a disabled account indicates that someone still possesses valid credentials for that account and is actively trying to use them.

This is a significant security signal for several reasons. If the account was disabled as part of an employee offboarding process, repeated sign-in attempts may indicate that a former employee is trying to regain access -- possibly with malicious intent. If the account was disabled during a security incident, sign-in attempts suggest that the attacker still has the credentials and is testing whether access has been fully revoked. This technique relates to MITRE ATT&CK T1078 (Valid Accounts), where adversaries attempt to use legitimate credentials to access systems.

The fact that someone knows a valid password for a disabled account is itself concerning. It may indicate that the password was leaked, shared, or obtained through phishing or credential stuffing. Even though the sign-in is blocked because the account is disabled, the underlying credential exposure represents a risk -- especially if the same password is reused on other accounts.

Follow-up

Follow these steps to adequately address this detection:

  1. Identify the disabled account(s) and the services targeted in the sign-in attempts. Determine when and why the account was originally disabled.

    • If no: The sign-in attempts are not attributable to legitimate activity (e.g., a former employee or automated system):

      1. Investigate the source IP addresses and locations of the sign-in attempts via the Entra admin center sign-in logs to determine the origin of the attempts.
      2. Check whether the credentials for the disabled account may have been leaked. Review breach databases and recent phishing campaigns targeting your organization.
      3. If the password is known to be compromised, ensure it is not reused on any active accounts in the organization. Prompt password changes for any accounts with identical or similar credentials.
      4. If the sign-in attempts indicate a targeted attack or the source cannot be identified, contact Attic for incident response support for further investigation.

    • If yes: The sign-in attempts can be explained (e.g., an automated process or service that was not updated after the account was disabled):

      1. Update the automated process or service to use a valid account or remove the dependency on the disabled account.
      2. If the attempts are from a former employee who may not be aware of the account disablement: no further action needed, but continue to monitor. Close the incident.

More information