incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogHistoryDashboard
Recruiter demo

Finance user entered credentials on a fake Microsoft 365 login

CybersecurityPhishingDifficulty · Easy
Try it yourself →
Sample / demo walkthrough. This is a fixed showcase — no login, and nothing you do here is saved. It shows one phishing incident graded end-to-end by the same rule-based engine the live trainer uses. Use Save as PDF / Print to export a clean one-pager.
Submission · the alert and a strong response
PhishingDifficulty · easyHigh asset
Suspicious login page reported — possible phishing
From
Dana Park <dana.park@northwind-demo.example>
To
soc@northwind-demo.example
Date
2026-04-19 09:42 UTC
Hi SOC team, About 15 minutes ago I got an email that looked like it came from our finance director asking me to review an invoice. The link opened a page that looked exactly like our Microsoft 365 sign-in, so I typed in my username and password. After I submitted, it just bounced me to the normal office.com home page. I think this was a phishing page. The address I clicked was: https://m365-northwind-login[.]example/auth I have not told anyone else yet and I am still signed in on my laptop. What should I do next? — Dana (Finance)
Evidence
Web proxy & sign-in log excerpt
# Web proxy (src=10.20.4.51 dana-laptop)
09:24:02 GET  https://m365-northwind-login[.]example/auth        200
09:24:38 POST https://m365-northwind-login[.]example/auth/submit 302
09:24:39 GET  https://office.com/                                200

# Identity provider sign-in log (user: dana.park@northwind-demo.example)
09:25:10 SUCCESS  ip=203.0.113.77 (hosting provider)  ua="python-requests/2.31"  mfa=not_challenged
09:25:48 SUCCESS  ip=203.0.113.77  app="Outlook Web"  action=New-InboxRule "move-to-archive"
Affected asset
Name
dana.park@northwind-demo.example
Type
Finance user account + laptop (dana-laptop)
Owner
Finance Dept · Dana Park
Level
High
Your submitted response
204 words
First, I escalate this as a P1 critical incident, because a Finance user was phished and a malicious sign-in has already succeeded. The replayed session with no MFA challenge tells me this is adversary-in-the-middle session token theft, not just a stolen password. This social engineering attack impersonated a trusted internal sender.

For containment, I reset password and rotate credentials on the affected account, revoke session tokens and sign out everywhere so the stolen refresh token is invalidated, and disable account access if suspicious activity continues. I isolate the laptop and block the phishing domain and the malicious source IP at the proxy.

Next, for investigation I review the identity provider sign-in log, confirm the source IP, geolocation, and user agent, and audit the mailbox for the attacker-created inbox rule or any auto-forward. I gather indicators of compromise (IOC) and check whether other users were targeted by the same page.

Before remediating, I preserve evidence: I export logs, capture a forensic snapshot of the laptop, and retain the message with its original headers for chain of custody.

Finally, for recovery I restore access once the account is verified clean, enforce MFA through Conditional Access, and run phishing awareness training so a repeat is less likely.
Final score
97/ 100
204 words submitted
Verdict · Pass

Solid response — your plan covers the core incident response steps and avoids dangerous actions. Score: 97/100. Strongest area: Clarity & structure (100%). Weakest area: Asset impact (67%) — expand this next time.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding3/3 · 15.0 / 15
  • Asset impact2/3 · 6.7 / 10
  • Prioritization2/2 · 10.0 / 10
  • Containment5/5 · 20.0 / 20
  • Investigation4/4 · 15.0 / 15
  • Recovery3/3 · 10.0 / 10
  • Evidence preservation3/3 · 10.0 / 10
  • Clarity & structure2/2 · 10.0 / 10

Strengths

  • Attack understanding
  • Prioritization
  • Containment
  • Investigation
  • Recovery
  • Evidence preservation
  • Clarity & structure

Missing / weak

No category dropped below 40%.

Dangerous actions detected

None detected in your response.

Learning · Coaching
Sample · not live AI

Sample AI coaching

This is illustrative sample coaching for the demo, not live AI output. A strong response like the one above leads with prioritization and containment before investigation, and it preserves evidence before remediating. To go further, tie each action to the specific evidence — the replayed session from the hosting-provider IP and the attacker-created inbox rule — and state exactly who you would notify and when. On the live trainer this section can be produced by the optional AI Review layer; here it is fixed sample text.

Want to try your own response? Start a scenario →