Attempt report

Employee reported a suspicious 'CEO' email and entered credentials

CybersecurityPhishingDifficulty · Easy

Attempt 1 of 1 · cmpei6ojy00000j1pyillghry

← All attempts ↻ Retry this scenario New scenario

Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity

Easy

Sample · 5 recent attempts2 positive4 blocking

Signals helping

Dangerous action frequency. None in recent attempts
Recent retry improvement trend. Score is improving (+13.3 pts on later attempts)

Signals blocking advancement

Recent average score. 12 / 100 (need ≥ 75)
Recent pass rate. 0 of 5 passed (need ≥ 66%)
Rubric category coverage. 12% average (need ≥ 55%)
Consistently weak rubric areas. Recovery, Evidence preservation, Investigation

Submission · what was sent and how you responded

PhishingDifficulty · easyHigh asset

Suspicious email reported — possible phishing (CEO impersonation)

From: Alice Johnson <alice.johnson@acme-corp.com>
To: soc@acme-corp.com
Date: 2026-04-19 09:42 UTC

Hi SOC team, About 20 minutes ago I received what looked like an email from our CEO asking me to review a confidential document. The link took me to a page that looked exactly like our Microsoft 365 login, so I entered my credentials. After I submitted, the page just redirected me to the real office.com. I now think this was a phishing page. The URL I clicked was: https://acme-corp-login[.]net/auth?u=alice I have not told anyone else yet. I am still logged in at my laptop. Please advise on next steps. — Alice (Finance)

Evidence

Proxy & M365 sign-in log excerpt

# Web Proxy (src=10.12.40.88 alice-wks)
09:21:04 GET https://acme-corp-login[.]net/auth?u=alice  200  (TLS, cert: Let's Encrypt, age 3d)
09:21:39 POST https://acme-corp-login[.]net/auth/submit  302
09:21:40 GET https://office.com/  200

# Entra ID sign-in logs (user: alice.johnson@acme-corp.com)
09:22:11  SUCCESS  IP 185.244.25.17 (Netherlands, hosting)  UA: "python-requests/2.31"  MFA: Not challenged (session token replay)
09:22:47  SUCCESS  IP 185.244.25.17  App: Outlook Web  Action: New-InboxRule "archive-all"

Affected asset

Name: alice.johnson@acme-corp.com
Type: Finance user account + workstation (alice-wks)
Owner: Finance Dept · Alice Johnson
Level: High

Your submitted response

114 words

Phase 17 Prisma 7 production AI Review data prep smoke. Containment: isolate the affected workstation from the corporate network and disable the user's account session tokens to halt further credential abuse. Investigation: collect mail headers, the phishing URL, browser history, and authentication logs to scope which assets were accessed. Evidence preservation: capture volatile memory, browser artifacts, and proxy logs before reimaging. Prioritization: revoke and rotate the affected user credentials immediately, then audit MFA, OAuth grants, and recent sign-ins for lateral movement. Recovery: reset passwords, re-enroll MFA, reimage the host from a known-good baseline, and verify mailbox forwarding rules were not modified. Communication: notify the SOC lead and document a timeline for the incident report.

Final score

45/ 100

114 words submitted

Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 45/100. Strongest area: Clarity & structure (77%). Weakest area: Recovery (0%) — expand this next time.

Category breakdown

Where points came from

coverage × weight = points

Attack understanding2/3 · 10.0 / 15
Asset impact2/3 · 6.7 / 10
Prioritization1/2 · 5.0 / 10
Containment3/5 · 12.0 / 20
Investigation1/4 · 3.8 / 15
Recovery0/3 · 0.0 / 10
Evidence preservation0/3 · 0.0 / 10
Clarity & structure2/2 · 7.7 / 10

Strengths

Clarity & structure

Missing / weak

Investigation
Recovery
Evidence preservation

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

Recovery0% coverage
Re-enable with phishing-resistant MFA / Conditional Access and a targeted awareness refresher, not just `tell Alice to be careful`.
Evidence preservation0% coverage
Preserve the original phishing email (.eml, full headers), export sign-in / proxy / mailbox audit logs, and capture the inbox rule before disabling it.
Investigation25% coverage
Use Entra sign-in logs, the mailbox audit log, and the proxy log to pin scope; confirm the `python-requests/2.31` UA from 185.244.25.17 and look for other victims of the same domain.

Model answer outline

Situation

Alice (Finance) was lured by a fake CEO request, entered her credentials on acme-corp-login[.]net, and within a minute her session was replayed from 185.244.25.17 (Netherlands hosting, `python-requests/2.31`) without an MFA challenge. The attacker has already created an `archive-all` inbox rule on Outlook Web — this is an AiTM session-token theft, not just a stolen password.

Prioritization

Treat as a P1 confirmed credential compromise on a Finance account: a malicious sign-in already succeeded.
Containment-first: reset password, revoke active sessions, and review the inbox rule before any forensic deep-dive.
Loop in the Identity / M365 admin and Finance management; this account touches sensitive workflows.

Containment

Reset Alice's password and force sign-out everywhere (`Revoke-MgUserSignInSession`) so the stolen refresh token is invalidated.
Disable the `archive-all` inbox rule and any new mailbox forwarding rule the attacker added.
Block the phishing domain `acme-corp-login[.]net` and the malicious sign-in IP at proxy / Conditional Access; isolate the workstation if you suspect endpoint compromise.

Investigation

Pull the Entra ID sign-in logs around 09:22 UTC, confirm the `python-requests/2.31` session and the missing MFA challenge (token replay, not interactive sign-in).
Audit Alice's mailbox for new inbox rules, auto-forward, OAuth grants, and any messages already auto-archived in the last hour.
Cross-check the proxy log for other users who hit `acme-corp-login[.]net` and search the fleet for the same source IP / UA.
Pull Alice's recent activity (file access, Teams DMs, sent items) so the impact statement is grounded in evidence, not assumption.

Recovery

Re-enable the account only after password reset, session revocation, and a clean device check.
Enforce phishing-resistant MFA / Conditional Access for Finance users (and revisit the AiTM-resistant policy globally).
Run a targeted phishing-awareness refresher and add `acme-corp-login[.]net`-style typosquats to user training examples.

Evidence preservation

Preserve the original phishing email with full headers (.eml) before anyone deletes it from the mailbox.
Export the Entra ID sign-in log, the mailbox audit log, and the proxy session for 185.244.25.17 / `acme-corp-login[.]net`.
Capture screenshots / API exports of the malicious inbox rule before disabling it; record hashes / case ID in the ticket.

Communication

Brief Alice and her manager on what happened, the actions taken, and what she should not do (do not click follow-up `verify your account` mail).
Notify Identity / M365 admins and the on-call SOC lead with a short timeline of containment steps.
Hold customer-comm unless investigation confirms data accessed via the mailbox; do not over-escalate before scope is known.

Dangerous actions to avoid

Do not delete the reported phishing email — preserve it as evidence first.
Do not just reset the password without revoking sessions — the stolen refresh token will keep working.
Do not wipe Alice's laptop before forensic capture / triage.
Do not share the new password over email or chat.

How to improve next time

An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.
Always pair password reset with session / refresh-token revocation; one without the other is a half-fix.
Auto-created inbox rules (`archive-all`, hidden forwards) are a classic post-AiTM tell — check and preserve them before disabling.
Preserve the original phishing email as .eml with full headers before users delete it.
Treat the M365 identity, the workstation, and the mailbox as three separate surfaces; each may need its own containment step.

AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review languageEnglishKorean

AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 45/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (77%). Points were held back mostly in Recovery (0%), Evidence preservation (0%), Investigation (25%).

Rubric focusrecoveryevidencePreservationinvestigation

Next study step

Re-read the recovery expectations for this scenario and list the concrete steps you missed.