incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
Incident

Helpdesk tech approved MFA push at 02:14 UTC after a flood of prompts — Singapore sign-in now active

CybersecurityDifficulty · Easy
← New scenario
Retry in progress
You have 1 previous attempt for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
MFA Fatigue / Push BombingDifficulty · easyHigh asset
Suspicious sign-in on helpdesk account — possible MFA fatigue compromise
From
Min-jae Choi <min-jae.choi@acme-corp.com>
To
soc@acme-corp.com
Date
2026-05-12 06:18 UTC
Hi SOC, Reporting a suspicious sign-in on one of our helpdesk accounts. When the morning shift opened the queue at 06:00 UTC, we noticed Yu-jin's account (yu-jin.kim@acme-corp.com) had a successful interactive sign-in from Singapore at 02:14 UTC. She lives in Seoul and was off-shift at that time. I just spoke to Yu-jin. She says her Authenticator app started receiving push prompts around 02:00, one every ~30 seconds. She denied ~10 of them, silenced her phone, then woke up to more prompts and tapped Approve at 02:14 "to make them stop." She went back to sleep and did not report it. The helpdesk audit log shows her account read several finance tickets (HD-9821, HD-9847, HD-9852) between 02:18 and 03:09 UTC, including tickets with password reset history. Please advise on next steps. The account is still active. — Min-jae (Helpdesk Lead)
Evidence
Entra ID sign-in log + helpdesk audit trail (02:00–03:30 UTC)
# Entra ID sign-in log (user: yu-jin.kim@acme-corp.com)
01:58:14  DENIED   src=185.220.101.42 (Singapore, hosting)  reason=mfa_denied  UA: Edge/Windows
01:58:46  DENIED   src=185.220.101.42  reason=mfa_denied
01:59:18  DENIED   src=185.220.101.42  reason=mfa_denied
... (8 more denials through 02:13)
02:14:07  SUCCESS  src=185.220.101.42  MFA: Authenticator push (approved)  app: Helpdesk Web Portal
02:18:33  SUCCESS  src=185.220.101.42  app: Helpdesk Web Portal  (session continues)

# Helpdesk ticketing audit (user: yu-jin.kim, src=185.220.101.42)
02:18:41  READ     ticket HD-9821 (subject: "Finance VP password reset 2026-04")
02:24:55  READ     ticket HD-9847 (subject: "Treasury account MFA re-enroll")
02:31:09  READ     ticket HD-9852 (subject: "CFO mailbox delegate change")
03:08:47  SEARCH   query: "password reset finance"

# Yu-jin's typical sign-in pattern (last 30d, for comparison)
- IPs: KR/Seoul home ISP (~94%), KR/Seoul mobile (5%), corp egress (1%)
- Devices: corp Windows laptop + iPhone Authenticator
- Working hours: 09:00–18:00 KST (00:00–09:00 UTC) on weekdays
Affected asset
Name
yu-jin.kim@acme-corp.com
Type
Helpdesk technician account (Entra ID) + helpdesk ticketing access
Owner
IT Service Desk · Yu-jin Kim
Level
High
0 words

Grading is rule-based. Response is compared against a pre-written rubric.