The scenario
A high-school student says someone is sending email from their account. They might be telling the truth. They might be deflecting from a prank they ran on a classmate. The next 20 minutes decide whether this is a one-account reset or a district-wide investigation.
First 60 minutes
- Sign the student out of all sessions and force a password reset.
- Check sign-in logs for foreign-country IPs, atypical user-agent strings, or token-replay markers.
- Look at OAuth grants on the account — student-account takeovers often persist via a third-party app.
- If sign-in logs show a single in-school IP and no token replay, treat as a likely prank (counselor referral, not incident).
- If sign-in logs show out-of-country access or anomalous tokens, escalate to district IT and treat as a real compromise.
Decisions to make
Prank or real compromise?
- — In-school IP, no token replay → counselor referral, not security incident.
- — Out-of-country IP or token replay → real compromise, full account-takeover workflow.
Who to call
- K-12 MS-ISAC (if pattern repeats across student tenant)
- Counselor / building admin for the prank variant
FAQ