ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Identity Security • Employee Offboarding

The VPN Login Continued After The Exit Meeting

The employee had already been terminated. The exit meeting was over. The laptop had been returned. Everyone believed the business risk had been contained.

Then the VPN login attempts started appearing.

This Agent Foskett briefing looks at one of the most overlooked security risks in business environments: incomplete employee offboarding. When someone leaves under difficult circumstances, every remaining access path matters — email, VPN, remote desktop, cloud sessions, shared credentials, mobile devices and anything still trusted by the organisation.

Discuss your environment Back to briefings
Agent Foskett terminated employee VPN login and identity offboarding investigation
Briefing summary

A terminated employee continuing to attempt access is not only a people issue. It is an identity, remote access and operational control issue. GEMXIT looks at the access paths businesses often forget when someone leaves.

Lock down identity and sessions
Review VPN and remote access
Validate offboarding controls
🚨 The account was supposed to be gone. The access attempts were not.
Terminated employee access is not something to leave to assumptions. If offboarding misses one system, one shared credential or one persistent session, the business may still be exposed.
Book a security review →

What happened

The situation was not theoretical. A client needed help after a former employee continued attempting to access business systems after termination.
VPN attempts continued Remote access attempts were still appearing after the employee had left, showing that termination did not automatically remove every access path.
Email access was a concern Mailbox access, mobile sign-ins, forwarding rules and active sessions all needed to be checked before assuming the email risk was closed.
Remote login paths mattered Remote desktop, workstations, cached credentials and remote support tools needed review because former staff may still know how the environment works.
Saved access can survive Remembered devices, persistent sessions, browser profiles and synced passwords can remain dangerous if session revocation is missed.
Logs became the truth The business needed evidence of what was attempted, what was blocked and where access might still have existed.
Assumptions were the risk The most dangerous phrase in offboarding is often: “That should already be disabled.” Security needs confirmation, not hope.

The real issue was incomplete offboarding

The problem was not only the former employee. The problem was that the business needed a repeatable process to remove access everywhere, not just in the most obvious place.
Disabling email is not enough Microsoft 365, Entra ID, VPN, local accounts, remote access tools and third-party systems may each have separate access controls.
Sessions need revocation Accounts can be disabled while existing sessions, refresh tokens or remembered devices still need to be forced out.
Offboarding is a security control Employee exits should be treated like a formal security process, especially when the departure is sensitive or high-risk.

First hunt: sign-in attempts after termination

When an employee has left, identity logs can help show whether access attempts continued and whether controls were actually blocking them.
terminated-user-signin-attempts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName has "user@domain.com"
| project TimeGenerated, UserPrincipalName,
          IPAddress, AppDisplayName, ClientAppUsed,
          ConditionalAccessStatus, ResultType, ResultDescription
| order by TimeGenerated desc
What to review Look at time, app, client type, IP address, conditional access result and whether attempts continued after the termination date.
Why it matters Failed attempts still matter. They show intent, timing and which access paths the former employee believed might still work.
Best next pivot Compare the attempts with the offboarding timestamp, VPN logs, device records, mailbox audit data and any remaining group memberships.

Second hunt: VPN and remote access attempts

VPN logs are often the first place businesses notice something is wrong, especially when a former employee continues trying familiar remote access paths.
vpn-and-remote-access-attempts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
SigninLogs
| where TimeGenerated > ago(14d)
| where AppDisplayName has_any ("VPN", "Remote", "RDP")
     or ClientAppUsed has_any ("Other clients", "Mobile Apps and Desktop clients")
| project TimeGenerated, UserPrincipalName,
          IPAddress, AppDisplayName, ClientAppUsed,
          ConditionalAccessStatus, ResultDescription
| order by TimeGenerated desc
What to review Review whether VPN applications are integrated with Entra ID, protected by MFA, included in Conditional Access and removed during offboarding.
Why it matters VPN access often provides a bridge back into internal systems. If it remains active, email disablement alone may not protect the business.
Best next pivot Check firewall VPN users, local directory groups, RADIUS/NPS policies, Entra enterprise apps and any separate remote access portals.

Third hunt: sessions, refresh tokens and remembered devices

One of the biggest offboarding mistakes is disabling an account but forgetting active sessions and remembered devices.
active-sessions-and-remembered-devices.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
SigninLogs
| where TimeGenerated > ago(30d)
| where UserPrincipalName has "user@domain.com"
| summarize LastSeen = max(TimeGenerated),
            Apps = make_set(AppDisplayName),
            IPs = make_set(IPAddress)
            by UserPrincipalName, DeviceDetail, ClientAppUsed
| order by LastSeen desc
What to review Look for devices, applications and sign-in patterns that remain visible close to or after the employee exit date.
Why it matters Persistent sessions can blur the line between account disablement and real access removal. Offboarding should include session revocation.
Best next pivot Revoke sessions, reset passwords, remove registered devices, review MFA methods and confirm the account cannot authenticate anywhere.

Fourth hunt: mailbox rules, forwarding and file access

Former employee risk is not limited to sign-ins. Mailbox rules, forwarding, synced files and shared cloud access can continue creating exposure after the person leaves.
mailbox-rules-and-file-access.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "Former Employee"
| where ActionType has_any ("FileDownloaded", "FileAccessed", "MailItemsAccessed", "New-InboxRule")
| project Timestamp, AccountDisplayName, ActionType,
          IPAddress, Application, ObjectName
| order by Timestamp desc

What should happen when an employee is terminated?

Offboarding should be treated as a security event, not only an HR task. The more sensitive the exit, the more coordinated the process needs to be.
Immediately disable identity access Disable the account, reset the password, revoke sessions, remove MFA methods where appropriate and confirm Conditional Access blocks authentication.
Remove remote access Disable VPN accounts, remote desktop permissions, local admin access, remote support tools and any application-specific access.
Protect email and files Review mailbox forwarding, inbox rules, delegated access, shared mailboxes, OneDrive sync, SharePoint permissions and Teams access.
Watch the logs afterwards The exit does not end when the account is disabled. Monitor failed sign-ins, VPN attempts, unusual file access and attempted password resets.
Review shared secrets Change shared passwords, rotate keys, remove browser-saved credentials and check any generic accounts the employee may have known.
Document the evidence Keep a clear timeline of termination, access removal, attempted logins, blocked activity and remediation actions taken.

How GEMXIT approaches offboarding security reviews

At GEMXIT, we do not simply ask whether the employee account was disabled. We look for the access paths that may still exist after everyone thinks the risk is gone.
We question assumptions Was VPN removed? Were sessions revoked? Were shared passwords changed? Was every access path actually checked?
We validate telemetry Security teams need to know where attempted access would appear and whether someone is actively watching the evidence.
We reduce operational risk The aim is not complexity. The aim is a practical, repeatable process that protects the business every time someone leaves.
The employee left the business. The access path did not.
That is why offboarding needs identity, email, VPN, endpoint and cloud access reviewed together. Assumptions do not protect businesses. Verification does.
Contact GEMXIT

Final thought

Employee offboarding is one of those controls that only gets noticed when it fails. By then, the former employee may already know the systems, the people, the remote access method and the weak points.
At GEMXIT We help organisations review Microsoft 365, Entra ID, Defender XDR, Sentinel and remote access controls to identify practical gaps before they become incidents.
Agent Foskett mindset The important question is not only “Was the employee disabled?” It is “Can we prove every access path was removed?”

Continue the investigation with the MFA Session Hijacking briefing, After-Hours Download investigation, Identity and Access Security and GEMXIT Security Review.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Terminated Employee Access and Offboarding Security

This Agent Foskett briefing explains why terminated employee access must be reviewed across identity, VPN, email, remote desktop, cloud sessions, endpoints and shared credentials.

Microsoft 365, Entra ID and VPN Offboarding Review

GEMXIT helps organisations review Microsoft 365, Entra ID, Conditional Access, Defender XDR and remote access controls to identify access paths that may survive employee termination.

Insider Risk, Remote Access and Identity Governance

Example investigation areas include VPN login attempts, failed sign-ins, persistent sessions, mailbox forwarding, OneDrive access, shared credentials, local accounts, remote support tools and security monitoring after employee exit.