Account Discovery is reconnaissance that identifies valid user accounts, service accounts, and sometimes privileged identities inside a target environment. Attackers use it to map who exists, which names are active, and which accounts may be worth targeting next.
This matters because knowing valid accounts helps adversaries reduce noise, avoid lockouts, and focus on password attacks, phishing, token abuse, or privilege escalation. In enterprise networks, account discovery often shows up as directory queries, authentication probing, mailbox or cloud tenant enumeration, and scripted checks against identity systems. Defenders look for unusual spikes in failed logons, abnormal LDAP or Active Directory lookup patterns, suspicious API calls against identity providers, and activity from hosts that do not normally enumerate users. Detecting account discovery early can stop later stages such as lateral movement, credential stuffing, and domain compromise.