Reputation by Proxy: How Cybercriminals Resurrect Dormant Email Accounts to Smuggle Attacks Past Your Defenses
At some point, most Americans have abandoned an email address. Perhaps it was a college account, a work address from a former employer, or a secondary inbox created for a service that no longer exists. The instinct is to simply stop logging in and let the account fade into irrelevance. What few people consider is that an inbox left unattended is not neutral territory — it is, from a cybercriminal's perspective, a dormant asset with considerable value.
A growing body of threat intelligence suggests that attackers are systematically identifying and compromising old, low-activity email accounts specifically to exploit the reputational credibility those accounts carry. Because the underlying domain or address has never been flagged for spam, phishing, or malicious behavior, the emails they send bypass the filters that would catch a freshly registered throwaway account. The attack arrives wearing borrowed legitimacy.
Why Sender Reputation Is Both a Shield and a Vulnerability
Modern email security infrastructure leans heavily on reputation scoring. Services like Gmail, Outlook, and corporate mail gateways evaluate incoming messages against a layered set of signals: whether the sending domain passes SPF, DKIM, and DMARC authentication checks; how long the domain has been active; whether it has previously been associated with complaints or blocklists; and how recipients have historically interacted with mail from that address.
A dormant personal account at a major provider — or an old business address at a small company — often scores well on every one of those dimensions. The domain is aged. The address has sent and received legitimate correspondence for years. No complaints have been filed against it. To an automated filter, it looks like exactly the kind of trustworthy sender that should be delivered to the primary inbox.
That reputation was built legitimately. Attackers simply want to borrow it.
The Anatomy of a Dormant Account Takeover
The pipeline from abandoned inbox to active attack platform generally follows a predictable sequence.
Discovery begins with credential databases. Years of major breaches — from LinkedIn's 2012 exposure to the ongoing flood of stealer-log data circulated on dark web forums — have produced enormous repositories of username-and-password combinations. Many of those credentials belong to accounts that were active at the time of the breach but have since been neglected. Automated credential-stuffing tools allow attackers to test millions of combinations against provider login portals in a matter of hours.
Qualification follows. Not every compromised account is equally useful. Criminals prioritize addresses attached to aged domains with clean reputations, accounts that still contain authentic historical correspondence (which can be mined for social-engineering material), and addresses whose owners are unlikely to notice unauthorized access quickly — a characteristic that correlates directly with inactivity.
Weaponization is the final stage. The attacker logs in, reviews the account's existing contacts and sent-mail history, and begins crafting outbound campaigns. In some cases the goal is broad phishing — blasting thousands of recipients with credential-harvesting links. In others, the access enables a more surgical approach: impersonating a known contact to request a wire transfer, deliver a malicious attachment, or seed a conversation that builds toward a longer-running fraud.
The Deletion Window: A Race Against the Clock
Major email providers have adopted inactivity deletion policies intended, in part, to prevent exactly this kind of abuse. Google, for instance, announced in 2023 that it would begin deleting personal Google accounts — including Gmail addresses — that had been inactive for two years. Microsoft has maintained similar policies for consumer Outlook and Hotmail accounts.
The policy rationale is sound. An account no one is using is an account no one is protecting, and deletion removes the attack surface entirely.
The problem is the window between vulnerability and deletion. An account that has been inactive for eighteen months is approaching its deletion threshold but has not yet been removed. Its credentials may have been circulating in breach databases for years. An attacker who acquires and logs into that account — even briefly — resets the inactivity clock, preventing deletion and preserving access indefinitely. The very mechanism designed to eliminate dormant accounts can be subverted by the act of compromising them.
Furthermore, deletion policies apply unevenly. Accounts tied to custom domains hosted through third-party providers, old employer infrastructure, or niche services often have no inactivity policy at all. They persist indefinitely, quietly accumulating reputational credibility while their legitimate owners have long since moved on.
Why Business Accounts Carry Disproportionate Risk
While consumer inboxes represent a large volume target, dormant business email accounts present a qualitatively different threat. A former employee's address at a mid-size company — one that was never deprovisioned after their departure — carries the full domain authority of the organization. Emails sent from that address pass authentication checks tied to the company's own DNS records.
Recipients who receive a message from a familiar company domain are significantly less likely to scrutinize it. Security awareness training typically instructs people to distrust unfamiliar senders; a message from a domain they have corresponded with before triggers none of those learned skeptical reflexes. This is precisely why business email compromise schemes that leverage dormant internal accounts tend to be so effective.
IT and security teams at organizations of all sizes should treat account offboarding — the formal deactivation and deletion of email accounts when employees depart — as a security-critical process, not an administrative afterthought.
An Audit Checklist: Securing Your Dormant Accounts Before Attackers Do
The most effective defense is to eliminate dormant accounts entirely. The following steps provide a practical framework for American users conducting a personal email audit.
1. Inventory every address you have ever used. Check your password manager, browser-saved passwords, and any "welcome" emails in your current primary inbox. Old addresses from ISPs (AOL, EarthLink, Comcast), former employers, and educational institutions are common blind spots.
2. Check each account against breach databases. Services such as Have I Been Pwned (haveibeenpwned.com) allow you to enter an email address and determine whether it has appeared in known data breaches. A compromised credential attached to an account you no longer monitor is an open invitation.
3. Log in and change the password immediately. If the account still exists and you can access it, update the password to a strong, unique credential generated by a password manager. This step alone disrupts credential-stuffing attacks that rely on reused passwords from old breaches.
4. Enable multi-factor authentication wherever the provider supports it. Even a dormant account benefits from MFA. An attacker who obtains the password cannot access the account without the second factor.
5. Review account recovery options. Old accounts often have outdated recovery phone numbers or backup addresses — sometimes addresses that have themselves been abandoned or compromised. Update or remove them.
6. Delete the account if you have no ongoing need for it. Most major providers offer a formal account deletion process. Removing the account eliminates the attack surface permanently. Download any data you wish to preserve beforehand.
7. For former employers, contact IT directly. If you know that an old work address was never deprovisioned, notify the organization. They may be unaware of the exposure, and responsible disclosure is both professionally appropriate and a genuine public service.
The Broader Lesson
The dormant account threat is, at its core, a story about how digital infrastructure ages. Email addresses accumulate trust over time, and that trust does not expire when the legitimate owner stops paying attention. Attackers understand this dynamic with precision. The solution is not sophisticated — it requires neither specialized tools nor technical expertise. It requires only the discipline to treat old accounts as the liabilities they have become rather than the conveniences they once were.
Your inbox history is part of your digital identity. Leaving pieces of it unguarded is not a passive act. In the current threat environment, it is an open door.