Not so much the victim than the unlucky detective who had to trawl event logs and compile the evidence.
Early Noughties I was helping out second line doing desktop support for a large financial organisation, using my server skills to remotely fix issues users had logged for XP without having to actually get out my seat and visit them. Since I had admin rights I could remote load Event Logs on Windows and was checking one such log when I came across a "net send" entry that even in those days was unacceptable.
The log file included the source machine, so I was able to load that log too, and started to find conversations between about 10 tech savvy people, some banal ("Coffee?"), some a bit disparaging of managers ("X is a dick!"), some totally homophobic, sectarian and racist.
Showed my boss who set me the task of compiling the entire history. After two days I had about three months of history and we called a stop. Details were passed to the Executive first to pass on to HR. I don't think anyone actually got fired, but I do know some final warning letters were issued.
And the moral of the story is - beware of having fun with the simple tools, even they can leave an audit trail.