Threat actors increasingly exploit “orphaned” Active Directory (AD) service accounts logins originally created for legacy apps, test scripts or scheduled tasks that remain active with non-expiring passwords. Because these machine accounts sit outside normal user-lifecycle reviews, they often escape audits and accumulate dangerous permissions. An early-2024 botnet campaign against Microsoft 365 showed how attackers can bypass MFA by abusing outdated basic authentication and spraying passwords against forgotten service accounts. Recommended mitigations include: discovering and inventorying every service account; enforcing least-privilege access; switching to managed or group-managed service accounts with automatic password rotation; disabling interactive log-ins; placing accounts in dedicated OUs; auditing use and permissions regularly.

Service accounts in Active Directory are meant to let applications, scripts or services run smoothly behind the scenes. The problem? Many linger long after their original purpose, still enabled and sporting passwords that never expire. These “orphaned” accounts are invisible to most routine checks making them perfect stepping-stones for attackers.

Why You Should Worry

Unseen entry points – Old service accounts rarely trigger alerts yet provide valid credentials for lateral movement.

Privilege creep – Permissions pile up over time, quietly turning low-risk accounts into domain-wide threats.

Real-world breaches – A 130,000-device botnet in 2024 targeted Microsoft 365 service accounts, sidestepping MFA via basic authentication.

How to Find and Fix Them

Discover what you have – Query AD for accounts with service-principal names, non-expiring passwords or no recent log-ins; scan scheduled tasks and scripts for hard-coded credentials.

Apply least privilege – Remove service accounts from broad groups such as Domain Admins and grant only the permissions each task truly needs.

Use managed service accounts (gMSAs) – They rotate passwords automatically and block interactive log-ins.

Audit regularly – Track log-ins, permission changes and anomalies, disabling any account that is no longer required.

Segregate and label – Place service accounts in their own organisational units to simplify policy enforcement and reviews.

Bottom Line

Service accounts may be silent, but they’re far from harmless. Gaining visibility, trimming privileges and automating password hygiene turn these forgotten logins from a liability into a manageable asset—closing one more door before attackers can walk through it.