I managed to unlock it via 2FA, and looked at the log they made available. It reported a "strange" login from the USA (I'm from Europe) and the IP address which I looked up via WHOIS and it appears to be an internal IP of Microsoft itself.
The access type was IMAP. Is it possible that it was just MS servers moving stuff around? Do they really have to authenticate as users? Is this a common thing?
I was presented with options to select if that was me or not. I selected not, hopefully it doesn't mess up anything.
Some other kids tried to use a Microsoft mail service of some kind to access the emails in those accounts (for example, to get a password reset email for the Minecraft account).
The login attempts came from Microsoft servers rather than the kids' home internet connections, because that is how it works when you ask a web app to go fetch mail from another account for you. And conveniently, it obscures the home IP addresses of whoever was doing it.
Like I said, I have no idea what I'm talking about. Good luck!
MS owned offending IP: 13.101.55.39
Did a whois, and saw it was MS owned. Was worried it might just be MS being broken and alerting on their own stuff, so didn't flag it, and got another attempt from the same IP a couple hours later. Flagged it then.
Could be an attacker using Azure to host attacks, but since my @outlook.com email address is not really guessable nor in circulation (long, not dictionary words/names, and only used a few times) MS just being broken might be more likely?
Another option is Cloudflare + MS's new relationship to provide Warp VPN as a built-in for Edge results in Warp sometimes terminating directly within MS address space?
https://www.zdnet.com/article/microsoft-readies-a-built-in-v...
I'm currently using Warp on my phone to avoid spying by my carrier (who is known to be terrible about this).
Are you using Cloudflare's Warp VPN on any devices that might be accessing the email accounts via IMAP?