incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
Attempt report

Employee reported a suspicious 'CEO' email and entered credentials

CybersecurityPhishingDifficulty · Easy

Attempt 1 of 1 · cmp46l82c0001gkgq9lad64p5

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Easy
Sample · 5 recent attempts2 positive4 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts
  • Recent retry improvement trend. Score is improving (+13.3 pts on later attempts)

Signals blocking advancement

  • Recent average score. 12 / 100 (need ≥ 75)
  • Recent pass rate. 0 of 5 passed (need ≥ 66%)
  • Rubric category coverage. 12% average (need ≥ 55%)
  • Consistently weak rubric areas. Recovery, Evidence preservation, Investigation
Submission · what was sent and how you responded
PhishingDifficulty · easyHigh asset
Suspicious email reported — possible phishing (CEO impersonation)
From
Alice Johnson <alice.johnson@acme-corp.com>
To
soc@acme-corp.com
Date
2026-04-19 09:42 UTC
Hi SOC team, About 20 minutes ago I received what looked like an email from our CEO asking me to review a confidential document. The link took me to a page that looked exactly like our Microsoft 365 login, so I entered my credentials. After I submitted, the page just redirected me to the real office.com. I now think this was a phishing page. The URL I clicked was: https://acme-corp-login[.]net/auth?u=alice I have not told anyone else yet. I am still logged in at my laptop. Please advise on next steps. — Alice (Finance)
Evidence
Proxy & M365 sign-in log excerpt
# Web Proxy (src=10.12.40.88 alice-wks)
09:21:04 GET https://acme-corp-login[.]net/auth?u=alice  200  (TLS, cert: Let's Encrypt, age 3d)
09:21:39 POST https://acme-corp-login[.]net/auth/submit  302
09:21:40 GET https://office.com/  200

# Entra ID sign-in logs (user: alice.johnson@acme-corp.com)
09:22:11  SUCCESS  IP 185.244.25.17 (Netherlands, hosting)  UA: "python-requests/2.31"  MFA: Not challenged (session token replay)
09:22:47  SUCCESS  IP 185.244.25.17  App: Outlook Web  Action: New-InboxRule "archive-all"
Affected asset
Name
alice.johnson@acme-corp.com
Type
Finance user account + workstation (alice-wks)
Owner
Finance Dept · Alice Johnson
Level
High
Your submitted response
20 words
damn you got cooked... you shouldn't be putting your credentials in there. that's a phishing site that takes your credentials
Final score
8/ 100
20 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 8/100. Strongest area: Clarity & structure (33%). Weakest area: Asset impact (0%) — expand this next time. The response is quite short; aim for a more structured, step-by-step plan.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding1/3 · 5.0 / 15
  • Asset impact0/3 · 0.0 / 10
  • Prioritization0/2 · 0.0 / 10
  • Containment0/5 · 0.0 / 20
  • Investigation0/4 · 0.0 / 15
  • Recovery0/3 · 0.0 / 10
  • Evidence preservation0/3 · 0.0 / 10
  • Clarity & structure1/2 · 3.3 / 10

Strengths

No category reached 70% coverage.

Missing / weak

  • Attack understanding
  • Asset impact
  • Prioritization
  • Containment
  • Investigation
  • Recovery
  • Evidence preservation
  • Clarity & structure

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Containment0% coverage

    Reset password AND revoke sessions / refresh tokens, disable the malicious inbox rule, and block `acme-corp-login[.]net` — partial containment leaves the attacker logged in.

  • Investigation0% coverage

    Use Entra sign-in logs, the mailbox audit log, and the proxy log to pin scope; confirm the `python-requests/2.31` UA from 185.244.25.17 and look for other victims of the same domain.

  • Asset impact0% coverage

    Identify a Finance M365 / Entra ID identity, the workstation, and the mailbox (with a malicious inbox rule already created) — not just `Alice's account`.

Model answer outline

Situation

Alice (Finance) was lured by a fake CEO request, entered her credentials on acme-corp-login[.]net, and within a minute her session was replayed from 185.244.25.17 (Netherlands hosting, `python-requests/2.31`) without an MFA challenge. The attacker has already created an `archive-all` inbox rule on Outlook Web — this is an AiTM session-token theft, not just a stolen password.

Prioritization
  • Treat as a P1 confirmed credential compromise on a Finance account: a malicious sign-in already succeeded.
  • Containment-first: reset password, revoke active sessions, and review the inbox rule before any forensic deep-dive.
  • Loop in the Identity / M365 admin and Finance management; this account touches sensitive workflows.
Containment
  • Reset Alice's password and force sign-out everywhere (`Revoke-MgUserSignInSession`) so the stolen refresh token is invalidated.
  • Disable the `archive-all` inbox rule and any new mailbox forwarding rule the attacker added.
  • Block the phishing domain `acme-corp-login[.]net` and the malicious sign-in IP at proxy / Conditional Access; isolate the workstation if you suspect endpoint compromise.
Investigation
  • Pull the Entra ID sign-in logs around 09:22 UTC, confirm the `python-requests/2.31` session and the missing MFA challenge (token replay, not interactive sign-in).
  • Audit Alice's mailbox for new inbox rules, auto-forward, OAuth grants, and any messages already auto-archived in the last hour.
  • Cross-check the proxy log for other users who hit `acme-corp-login[.]net` and search the fleet for the same source IP / UA.
  • Pull Alice's recent activity (file access, Teams DMs, sent items) so the impact statement is grounded in evidence, not assumption.
Recovery
  • Re-enable the account only after password reset, session revocation, and a clean device check.
  • Enforce phishing-resistant MFA / Conditional Access for Finance users (and revisit the AiTM-resistant policy globally).
  • Run a targeted phishing-awareness refresher and add `acme-corp-login[.]net`-style typosquats to user training examples.
Evidence preservation
  • Preserve the original phishing email with full headers (.eml) before anyone deletes it from the mailbox.
  • Export the Entra ID sign-in log, the mailbox audit log, and the proxy session for 185.244.25.17 / `acme-corp-login[.]net`.
  • Capture screenshots / API exports of the malicious inbox rule before disabling it; record hashes / case ID in the ticket.
Communication
  • Brief Alice and her manager on what happened, the actions taken, and what she should not do (do not click follow-up `verify your account` mail).
  • Notify Identity / M365 admins and the on-call SOC lead with a short timeline of containment steps.
  • Hold customer-comm unless investigation confirms data accessed via the mailbox; do not over-escalate before scope is known.

Dangerous actions to avoid

  • Do not delete the reported phishing email — preserve it as evidence first.
  • Do not just reset the password without revoking sessions — the stolen refresh token will keep working.
  • Do not wipe Alice's laptop before forensic capture / triage.
  • Do not share the new password over email or chat.

How to improve next time

  • An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.
  • Always pair password reset with session / refresh-token revocation; one without the other is a half-fix.
  • Auto-created inbox rules (`archive-all`, hidden forwards) are a classic post-AiTM tell — check and preserve them before disabling.
  • Preserve the original phishing email as .eml with full headers before users delete it.
  • Treat the M365 identity, the workstation, and the mailbox as three separate surfaces; each may need its own containment step.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 8/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Attack understanding (33%). Points were held back mostly in Containment (0%), Investigation (0%), Asset impact (0%).

Rubric focuscontainmentinvestigationassetImpact
Next study step

Re-read the containment expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Containment first — it is your weakest rubric area at 0% coverage and carries weight 20. For this scenario: Reset password AND revoke sessions / refresh tokens, disable the malicious inbox rule, and block `acme-corp-login[.]net` — partial containment leaves the attacker logged in.

Rubric focuscontainment
Next study step

Rewrite your containment section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's containment, investigation, asset impact guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focuscontainmentinvestigationassetImpact
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 0% of it this time, worth 0 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study containment, investigation, asset impact next. Coaching tip for this scenario: An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.

Rubric focuscontainmentinvestigationassetImpact
Next study step

An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Save study notes for this attempt.

Loading notes…