Activity on what was previously
an inactive account is suspicious, as attackers often target unused
accounts to increase their chances of remaining undetected.
user account which has not logged on for a year or more is authenticating
to a service via Kerberos TGT. This may mean that the account succeeded
in Kerberos pre-authentication (and has a valid TGT), or (although
less likely) that the TGT and/or the TGS were forged.
Use a compromised user
account which has not been used in a long while, and are therefore
less likely to be noticed.
the service authentication was successful.
Confirm the activity is benign, e.g. the user returned from
a long leave of absence.
Check whether you have issues with your Directory Sync Services
failing to sync data from Active Directory.