Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization

**Executive summary:** CISA and MS-ISAC investigated a state government compromise where a former employee’s administrative credentials—likely obtained from a prior breach and from unsecured credentials on a virtualized SharePoint server—were used to authenticate via the organization’s VPN, run LDAP queries that enumerated domain users, hosts, and trust relationships, and produce files later posted for sale on a dark web site; no evidence was found of lateral movement into the organization’s Azure tenant. The advisory maps the actor’s TTPs to MITRE ATT&CK and recommends immediate mitigations including disabling unnecessary admin accounts, enforcing phishing-resistant MFA, securing credential storage, auditing Azure tenant permissions, and improving logging and incident readiness.