Honeyuser
What is Honeyuser?
HoneyuserA fake identity provisioned in directory services and HR systems so that any login attempt or enumeration immediately reveals an attacker.
A honeyuser is a decoy person — typically a plausible employee profile with an Active Directory or Entra ID account, an HR record, and sometimes an email mailbox — used to detect attacker reconnaissance and credential abuse. Because the persona is fictitious, no legitimate process or human should ever authenticate as that user, list their group memberships, or send them mail. Honeyusers are particularly valuable against credential dumping, Kerberoasting, AS-REP roasting, and password-spraying campaigns. They are common in ITDR products such as Microsoft Defender for Identity, CrowdStrike Falcon Identity, and standalone deception platforms.
● Examples
- 01
An AD account svc-backup-2 with a weak password that alerts on any login.
- 02
A honeyuser flagged in HR records to catch insiders enumerating staff directories.
● Frequently asked questions
What is Honeyuser?
A fake identity provisioned in directory services and HR systems so that any login attempt or enumeration immediately reveals an attacker. It belongs to the Defense & Operations category of cybersecurity.
What does Honeyuser mean?
A fake identity provisioned in directory services and HR systems so that any login attempt or enumeration immediately reveals an attacker.
How does Honeyuser work?
A honeyuser is a decoy person — typically a plausible employee profile with an Active Directory or Entra ID account, an HR record, and sometimes an email mailbox — used to detect attacker reconnaissance and credential abuse. Because the persona is fictitious, no legitimate process or human should ever authenticate as that user, list their group memberships, or send them mail. Honeyusers are particularly valuable against credential dumping, Kerberoasting, AS-REP roasting, and password-spraying campaigns. They are common in ITDR products such as Microsoft Defender for Identity, CrowdStrike Falcon Identity, and standalone deception platforms.
How do you defend against Honeyuser?
Defences for Honeyuser typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Honeyuser?
Common alternative names include: Decoy account, Honey identity.
● Related terms
- defense-ops№ 482
Honey Account
A decoy credential or account — often without a full identity persona — designed to trigger alerts when attempted by an attacker.
- defense-ops№ 293
Deception Technology
A defensive approach that deploys decoys, breadcrumbs, and fake assets across the environment to detect, mislead, and study attackers with high fidelity.
- network-security№ 485
Honeypot
A decoy system or service deliberately exposed to attract attackers, observe their techniques, and divert them from production assets.
- network-security№ 486
Honeytoken
A piece of fake data — credential, file, record, or API key — that has no legitimate use and triggers an alert the moment it is accessed.
- attacks№ 583
Kerberoasting
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.
● See also
- № 483Honeyfile