Attempt report

Employee reported a suspicious 'CEO' email and entered credentials

CybersecurityPhishingDifficulty · Easy

Attempt 2 of 3 · cmogxqc3x00058xa14m9iphqe

← All attempts ↻ Retry this scenario New scenario

Progress vs previous attempt

How this attempt compares

View previous attempt →

Score change

±068 → 68 / 100

Verdict

BorderlineUnchanged

Improved categories

No category improved by more than 5%.

Weakened categories

No category weakened by more than 5%.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity

Easy

Sample · 5 recent attempts2 positive4 blocking

Signals helping

Dangerous action frequency. None in recent attempts
Recent retry improvement trend. Score is improving (+13.3 pts on later attempts)

Signals blocking advancement

Recent average score. 12 / 100 (need ≥ 75)
Recent pass rate. 0 of 5 passed (need ≥ 66%)
Rubric category coverage. 12% average (need ≥ 55%)
Consistently weak rubric areas. Recovery, Evidence preservation, Investigation

Submission · what was sent and how you responded

PhishingDifficulty · easyHigh asset

Suspicious email reported — possible phishing (CEO impersonation)

From: Alice Johnson <alice.johnson@acme-corp.com>
To: soc@acme-corp.com
Date: 2026-04-19 09:42 UTC

Hi SOC team, About 20 minutes ago I received what looked like an email from our CEO asking me to review a confidential document. The link took me to a page that looked exactly like our Microsoft 365 login, so I entered my credentials. After I submitted, the page just redirected me to the real office.com. I now think this was a phishing page. The URL I clicked was: https://acme-corp-login[.]net/auth?u=alice I have not told anyone else yet. I am still logged in at my laptop. Please advise on next steps. — Alice (Finance)

Evidence

Proxy & M365 sign-in log excerpt

# Web Proxy (src=10.12.40.88 alice-wks)
09:21:04 GET https://acme-corp-login[.]net/auth?u=alice  200  (TLS, cert: Let's Encrypt, age 3d)
09:21:39 POST https://acme-corp-login[.]net/auth/submit  302
09:21:40 GET https://office.com/  200

# Entra ID sign-in logs (user: alice.johnson@acme-corp.com)
09:22:11  SUCCESS  IP 185.244.25.17 (Netherlands, hosting)  UA: "python-requests/2.31"  MFA: Not challenged (session token replay)
09:22:47  SUCCESS  IP 185.244.25.17  App: Outlook Web  Action: New-InboxRule "archive-all"

Affected asset

Name: alice.johnson@acme-corp.com
Type: Finance user account + workstation (alice-wks)
Owner: Finance Dept · Alice Johnson
Level: High

Your submitted response

66 words

V8 smoke check after track migration. First, contain the incident: reset the user password, revoke session tokens, isolate the workstation. Then investigate sign-in logs, check for inbox forwarding rules, look at source IP and user agent. Preserve evidence: keep the email, export logs with chain of custody. Recovery: enforce MFA, conditional access, user training. Escalate as P1 because finance user. Rationale: phishing with session token theft.

Final score

68/ 100

66 words submitted

Verdict · Borderline

Reasonable start, but the response misses important incident response steps. Score: 68/100. Strongest area: Evidence preservation (100%). Weakest area: Containment (40%) — expand this next time.

Category breakdown

Where points came from

coverage × weight = points

Attack understanding2/3 · 10.0 / 15
Asset impact2/3 · 6.7 / 10
Prioritization2/2 · 10.0 / 10
Containment2/5 · 8.0 / 20
Investigation3/4 · 11.3 / 15
Recovery2/3 · 6.7 / 10
Evidence preservation3/3 · 10.0 / 10
Clarity & structure1/2 · 5.3 / 10

Strengths

Prioritization
Investigation
Evidence preservation

Missing / weak

No category dropped below 40%.

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

Containment40% coverage
Reset password AND revoke sessions / refresh tokens, disable the malicious inbox rule, and block `acme-corp-login[.]net` — partial containment leaves the attacker logged in.
Clarity & structure53% coverage
Order the response (first / then / why) so a reviewer can see why containment runs before investigation in the first minutes of a credential compromise.
Attack understanding67% coverage
Name this as adversary-in-the-middle / session-token replay (the 09:22 sign-in had no MFA challenge), not just `phishing for a password`.

Model answer outline

Situation

Alice (Finance) was lured by a fake CEO request, entered her credentials on acme-corp-login[.]net, and within a minute her session was replayed from 185.244.25.17 (Netherlands hosting, `python-requests/2.31`) without an MFA challenge. The attacker has already created an `archive-all` inbox rule on Outlook Web — this is an AiTM session-token theft, not just a stolen password.

Prioritization

Treat as a P1 confirmed credential compromise on a Finance account: a malicious sign-in already succeeded.
Containment-first: reset password, revoke active sessions, and review the inbox rule before any forensic deep-dive.
Loop in the Identity / M365 admin and Finance management; this account touches sensitive workflows.

Containment

Reset Alice's password and force sign-out everywhere (`Revoke-MgUserSignInSession`) so the stolen refresh token is invalidated.
Disable the `archive-all` inbox rule and any new mailbox forwarding rule the attacker added.
Block the phishing domain `acme-corp-login[.]net` and the malicious sign-in IP at proxy / Conditional Access; isolate the workstation if you suspect endpoint compromise.

Investigation

Pull the Entra ID sign-in logs around 09:22 UTC, confirm the `python-requests/2.31` session and the missing MFA challenge (token replay, not interactive sign-in).
Audit Alice's mailbox for new inbox rules, auto-forward, OAuth grants, and any messages already auto-archived in the last hour.
Cross-check the proxy log for other users who hit `acme-corp-login[.]net` and search the fleet for the same source IP / UA.
Pull Alice's recent activity (file access, Teams DMs, sent items) so the impact statement is grounded in evidence, not assumption.

Recovery

Re-enable the account only after password reset, session revocation, and a clean device check.
Enforce phishing-resistant MFA / Conditional Access for Finance users (and revisit the AiTM-resistant policy globally).
Run a targeted phishing-awareness refresher and add `acme-corp-login[.]net`-style typosquats to user training examples.

Evidence preservation

Preserve the original phishing email with full headers (.eml) before anyone deletes it from the mailbox.
Export the Entra ID sign-in log, the mailbox audit log, and the proxy session for 185.244.25.17 / `acme-corp-login[.]net`.
Capture screenshots / API exports of the malicious inbox rule before disabling it; record hashes / case ID in the ticket.

Communication

Brief Alice and her manager on what happened, the actions taken, and what she should not do (do not click follow-up `verify your account` mail).
Notify Identity / M365 admins and the on-call SOC lead with a short timeline of containment steps.
Hold customer-comm unless investigation confirms data accessed via the mailbox; do not over-escalate before scope is known.

Dangerous actions to avoid

Do not delete the reported phishing email — preserve it as evidence first.
Do not just reset the password without revoking sessions — the stolen refresh token will keep working.
Do not wipe Alice's laptop before forensic capture / triage.
Do not share the new password over email or chat.

How to improve next time

An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.
Always pair password reset with session / refresh-token revocation; one without the other is a half-fix.
Auto-created inbox rules (`archive-all`, hidden forwards) are a classic post-AiTM tell — check and preserve them before disabling.
Preserve the original phishing email as .eml with full headers before users delete it.
Treat the M365 identity, the workstation, and the mailbox as three separate surfaces; each may need its own containment step.

AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review languageEnglishKorean

AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Borderline at 68/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Prioritization (100%). Points were held back mostly in Containment (40%), Clarity & structure (53%), Attack understanding (67%).

Rubric focuscontainmentclarityattackUnderstanding

Next study step

Re-read the containment expectations for this scenario and list the concrete steps you missed.