Skip to main content
All playbooks

Playbook

Student Google Workspace / Microsoft 365 takeover

Compromised student account — and the triage 'is this a real compromise or a student prank?' decision tree.

The scenario

A high-school student says someone is sending email from their account. They might be telling the truth. They might be deflecting from a prank they ran on a classmate. The next 20 minutes decide whether this is a one-account reset or a district-wide investigation.

First 60 minutes

  1. Sign the student out of all sessions and force a password reset.
  2. Check sign-in logs for foreign-country IPs, atypical user-agent strings, or token-replay markers.
  3. Look at OAuth grants on the account — student-account takeovers often persist via a third-party app.
  4. If sign-in logs show a single in-school IP and no token replay, treat as a likely prank (counselor referral, not incident).
  5. If sign-in logs show out-of-country access or anomalous tokens, escalate to district IT and treat as a real compromise.

Decisions to make

Prank or real compromise?

  • In-school IP, no token replay → counselor referral, not security incident.
  • Out-of-country IP or token replay → real compromise, full account-takeover workflow.

Who to call

  • K-12 MS-ISAC (if pattern repeats across student tenant)
  • Counselor / building admin for the prank variant

FAQ