Threat Actors may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.