Retry in progress
You have 3 previous attempts for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
PhishingDifficulty · easyHigh asset
Hi SOC team,
About 20 minutes ago I received what looked like an email from our CEO asking me to review a confidential document. The link took me to a page that looked exactly like our Microsoft 365 login, so I entered my credentials. After I submitted, the page just redirected me to the real office.com.
I now think this was a phishing page. The URL I clicked was:
https://acme-corp-login[.]net/auth?u=alice
I have not told anyone else yet. I am still logged in at my laptop. Please advise on next steps.
— Alice (Finance)
Evidence
Proxy & M365 sign-in log excerpt
# Web Proxy (src=10.12.40.88 alice-wks)
09:21:04 GET https://acme-corp-login[.]net/auth?u=alice 200 (TLS, cert: Let's Encrypt, age 3d)
09:21:39 POST https://acme-corp-login[.]net/auth/submit 302
09:21:40 GET https://office.com/ 200
# Entra ID sign-in logs (user: alice.johnson@acme-corp.com)
09:22:11 SUCCESS IP 185.244.25.17 (Netherlands, hosting) UA: "python-requests/2.31" MFA: Not challenged (session token replay)
09:22:47 SUCCESS IP 185.244.25.17 App: Outlook Web Action: New-InboxRule "archive-all"
Affected asset
- Name
- alice.johnson@acme-corp.com
- Type
- Finance user account + workstation (alice-wks)
- Owner
- Finance Dept · Alice Johnson
- Level
- High