The disabled account that was not disabled

Off boarding gaps create silent exposure

In complex environments such as Microsoft 365, off boarding is rarely a single action. It is a sequence of dependent controls across identity, licensing, mailbox configuration, group membership, and administrative roles.

Disablement at the directory level does not automatically mean de-provisioning is complete.

Residual access often remains:

• Active mailboxes with delegated permissions
• Persistent group memberships
• Assigned licenses tied to active services
• Privileged roles not removed during termination
• Conditional access policies that still recognize the identity

Each overlooked element represents latent exposure.

When login activity resumed, it was not due to technical sophistication. It was the result of incomplete process discipline. A control was assumed to be executed fully. It was not validated.

For executive leadership, off boarding is not an administrative workflow. It is a risk containment mechanism. It directly affects insider threat mitigation,regulatory compliance, audit defensibility, and breach exposure.

Terminated identities that retain partial access create ambiguity in accountability. If activity occurs, is it malicious intent, credential reuse, or simple process failure?

The longer residual access persists, the greater the potential impact.

Effective off boarding requires:

• Immediate identity disablement
• Removal of all privileged roles
• License revocation where appropriate
• Verification of mailbox and data access state
• Documented confirmation that de-provisioning is complete

Off boarding is not a checklist to complete.

It is a control mechanism to enforce.

Because access that is assumed to be removed, but is not verified, remains access.

Concerned about whether your off boarding process fully eliminates privileged exposure in your M365 environment? Contact us for a confidential review of identity lifecycle controls and administrative risk.

‍Reference cases - why it matters:

1. U.S. State Government Network Breach (Former Employee Credentials) - 2024

A U.S. state government environment was compromised when attackers logged in using credentials belonging to a former employee whose account still enabled VPN access.

• Entry point: ex-employee credentials
• Access method: VPN authentication
• Result: internal systems accessed and data later posted on the dark web
• Root issue: account and remote access privileges not fully revoked after departure

Relevance:

Textbook version of the scenario described:

• Identity assumed inactive
• Residual access remained via VPN
• External actors reused valid credentials

The breach occurred without advanced exploitation — simply by logging in.

‍

2. NCS / Singapore IT Services – Ex-Employee Deleted 180 Servers

A terminated employee at Singapore IT services firm NCS retained administrative access after dismissal.

• Action: deleted 180 virtual servers
• Damage: ~$918,000 in losses
• Root cause: termination occurred before access removal was verified

Relevance

This demonstrates a privileged role not removed during off-boarding, which is one of the exact control failures highlighted.

The attacker did not “hack” the environment — they used legitimate access that should have been revoked.

‍

‍

‍