incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
Attempt report

Helpdesk tech approved MFA push at 02:14 UTC after a flood of prompts — Singapore sign-in now active

CybersecurityMFA Fatigue / Push BombingDifficulty · Easy

Attempt 1 of 1 · cmpvzvn1c00000jznmq00hwp3

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Easy
Sample · 5 recent attempts2 positive4 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts
  • Recent retry improvement trend. Score is improving (+13.3 pts on later attempts)

Signals blocking advancement

  • Recent average score. 12 / 100 (need ≥ 75)
  • Recent pass rate. 0 of 5 passed (need ≥ 66%)
  • Rubric category coverage. 12% average (need ≥ 55%)
  • Consistently weak rubric areas. Recovery, Evidence preservation, Investigation
Submission · what was sent and how you responded
MFA Fatigue / Push BombingDifficulty · easyHigh asset
Suspicious sign-in on helpdesk account — possible MFA fatigue compromise
From
Min-jae Choi <min-jae.choi@acme-corp.com>
To
soc@acme-corp.com
Date
2026-05-12 06:18 UTC
Hi SOC, Reporting a suspicious sign-in on one of our helpdesk accounts. When the morning shift opened the queue at 06:00 UTC, we noticed Yu-jin's account (yu-jin.kim@acme-corp.com) had a successful interactive sign-in from Singapore at 02:14 UTC. She lives in Seoul and was off-shift at that time. I just spoke to Yu-jin. She says her Authenticator app started receiving push prompts around 02:00, one every ~30 seconds. She denied ~10 of them, silenced her phone, then woke up to more prompts and tapped Approve at 02:14 "to make them stop." She went back to sleep and did not report it. The helpdesk audit log shows her account read several finance tickets (HD-9821, HD-9847, HD-9852) between 02:18 and 03:09 UTC, including tickets with password reset history. Please advise on next steps. The account is still active. — Min-jae (Helpdesk Lead)
Evidence
Entra ID sign-in log + helpdesk audit trail (02:00–03:30 UTC)
# Entra ID sign-in log (user: yu-jin.kim@acme-corp.com)
01:58:14  DENIED   src=185.220.101.42 (Singapore, hosting)  reason=mfa_denied  UA: Edge/Windows
01:58:46  DENIED   src=185.220.101.42  reason=mfa_denied
01:59:18  DENIED   src=185.220.101.42  reason=mfa_denied
... (8 more denials through 02:13)
02:14:07  SUCCESS  src=185.220.101.42  MFA: Authenticator push (approved)  app: Helpdesk Web Portal
02:18:33  SUCCESS  src=185.220.101.42  app: Helpdesk Web Portal  (session continues)

# Helpdesk ticketing audit (user: yu-jin.kim, src=185.220.101.42)
02:18:41  READ     ticket HD-9821 (subject: "Finance VP password reset 2026-04")
02:24:55  READ     ticket HD-9847 (subject: "Treasury account MFA re-enroll")
02:31:09  READ     ticket HD-9852 (subject: "CFO mailbox delegate change")
03:08:47  SEARCH   query: "password reset finance"

# Yu-jin's typical sign-in pattern (last 30d, for comparison)
- IPs: KR/Seoul home ISP (~94%), KR/Seoul mobile (5%), corp egress (1%)
- Devices: corp Windows laptop + iPhone Authenticator
- Working hours: 09:00–18:00 KST (00:00–09:00 UTC) on weekdays
Affected asset
Name
yu-jin.kim@acme-corp.com
Type
Helpdesk technician account (Entra ID) + helpdesk ticketing access
Owner
IT Service Desk · Yu-jin Kim
Level
High
Your submitted response
42 words
Hi, the SOC team will deactivate her account temporarily and conduct further investigations.
When your account is reactivated, please change your password and do not approve unknown requests again.
If the incident happens again, please contact the SOC team ASAP.

Thank you,
Final score
7/ 100
42 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 7/100. Strongest area: Clarity & structure (70%). Weakest area: Attack understanding (0%) — expand this next time. The response is quite short; aim for a more structured, step-by-step plan.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding0/4 · 0.0 / 15
  • Asset impact0/3 · 0.0 / 10
  • Prioritization0/2 · 0.0 / 10
  • Containment0/4 · 0.0 / 20
  • Investigation0/4 · 0.0 / 15
  • Recovery0/4 · 0.0 / 10
  • Evidence preservation0/3 · 0.0 / 10
  • Clarity & structure1/2 · 7.0 / 10

Strengths

  • Clarity & structure

Missing / weak

  • Attack understanding
  • Asset impact
  • Prioritization
  • Containment
  • Investigation
  • Recovery
  • Evidence preservation

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Containment0% coverage

    Reset password AND revoke sessions / refresh tokens AND disable the account AND block the source IP — partial containment leaves the attacker session live.

  • Attack understanding0% coverage

    Name this as MFA fatigue / push bombing and explain that the credential was already compromised before the push storm — MFA was defeated socially, not cryptographically.

  • Investigation0% coverage

    Read the denied-then-approved pattern in the sign-in log, audit the ticket reads during the attacker session, and search the tenant for the same source IP / UA hitting other accounts.

Model answer outline

Situation

Yu-jin (helpdesk technician, privileged for password resets) was push-bombed by Microsoft Authenticator for ~16 minutes starting at 01:58 UTC. After ~10 denials she tapped Approve at 02:14 to silence the prompts, and an attacker session signed in from 185.220.101.42 (Singapore hosting) and started reading finance-related tickets at 02:18. This is MFA fatigue: the credential was already compromised before the push storm, and MFA was defeated socially, not cryptographically.

Prioritization
  • Treat as a P1 confirmed compromise of a privileged helpdesk account: a malicious session is already active and has read finance ticket data.
  • Containment runs ahead of deep investigation in the first 15 minutes — the attacker still has an open session.
  • Loop in the Identity / M365 admin and the helpdesk lead; pause Yu-jin's role privileges immediately.
Containment
  • Reset Yu-jin's password and force sign-out everywhere (`Revoke-MgUserSignInSession`) so the refresh token from 02:14 stops working.
  • Temporarily disable the account in Entra and remove helpdesk role assignments until the investigation closes.
  • Block source IP 185.220.101.42 at Conditional Access, and apply a country/geo restriction on the helpdesk role going forward.
Investigation
  • Pull the 02:00–03:30 UTC Entra sign-in log and read the denied-then-approved sequence; document the 11+ denials before the 02:14 success.
  • Audit helpdesk ticket reads during the attacker session (02:18–03:09 UTC) and confirm whether the attacker reset any other users' passwords through the helpdesk workflow.
  • Search the tenant for the same source IP / UA hitting other accounts in the same window — push bombing campaigns rarely target a single user.
  • Check Yu-jin's mailbox for new inbox rules or OAuth grants added during the attacker session.
Recovery
  • Re-enable the account only after password reset, session revocation, and Conditional Access tightening.
  • Enforce number-matching MFA (or phishing-resistant MFA / FIDO2) on the helpdesk role; the current push-Approve flow is the vulnerability.
  • Run a helpdesk-team awareness refresher focused specifically on push fatigue — `tap to silence prompts` is the failure mode.
Evidence preservation
  • Export the Entra ID sign-in log for the full 02:00–03:30 UTC window with full request metadata (UA, IP, MFA result).
  • Preserve the helpdesk ticketing audit log entries for tickets HD-9821, HD-9847, HD-9852, and the SEARCH query at 03:08.
  • If retrievable, capture Yu-jin's Authenticator push history (some MDM/Intune integrations expose it) before any device reset.
Communication
  • Brief Yu-jin and her helpdesk lead on what happened, what was reset, and what she should not do (do not click any follow-up Authenticator prompts during today's investigation).
  • Notify Identity / M365 admin and the on-call SOC lead with a timeline of containment steps.
  • Hold customer-comm; the finance tickets were read but no customer data was modified — escalate only if the scope changes.

Dangerous actions to avoid

  • Do not approve any additional push prompts to test the account.
  • Do not reset the password without also revoking sessions — the 02:14 refresh token will keep working.
  • Do not wipe Yu-jin's laptop or phone before investigation; the compromise was server-side, not local.
  • Do not share the new password over chat or email — re-deliver via a secure channel.

How to improve next time

  • Push fatigue defeats MFA as a control, not as a primitive — the upgrade is number-matching MFA or FIDO2, not `more MFA`.
  • An MFA-approved sign-in is still a compromise if it bypassed user intent — read the denied-then-approved pattern, not just the final SUCCESS row.
  • Privileged roles (helpdesk, IT admin, finance admin) deserve stronger MFA shapes and geofenced Conditional Access by default.
  • If a helpdesk account is compromised, assume the attacker may have used the helpdesk workflow to reset other users' passwords — audit the ticketing system, not just the identity log.
  • Always pair password reset with session / refresh-token revocation; the refresh token issued at 02:14 outlives a password change.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 7/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (70%). Points were held back mostly in Containment (0%), Attack understanding (0%), Investigation (0%).

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Re-read the containment expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Containment first — it is your weakest rubric area at 0% coverage and carries weight 20. For this scenario: Reset password AND revoke sessions / refresh tokens AND disable the account AND block the source IP — partial containment leaves the attacker session live.

Rubric focuscontainment
Next study step

Rewrite your containment section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's containment, attack understanding, investigation guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 0% of it this time, worth 0 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study containment, attack understanding, investigation next. Coaching tip for this scenario: Push fatigue defeats MFA as a control, not as a primitive — the upgrade is number-matching MFA or FIDO2, not `more MFA`.

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Push fatigue defeats MFA as a control, not as a primitive — the upgrade is number-matching MFA or FIDO2, not `more MFA`.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Save study notes for this attempt.

Loading notes…