incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogDiagnosticHistoryDashboardCoach Notes
Attempt report

Employee reported a suspicious 'CEO' email and entered credentials

CybersecurityPhishingDifficulty · Easy

Attempt 1 of 1 · cmonxjo5q0001ic1g36s7e7uz

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Easy
Sample · 5 recent attempts2 positive4 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts
  • Recent retry improvement trend. Score is improving (+11 pts on later attempts)

Signals blocking advancement

  • Recent average score. 20 / 100 (need ≥ 75)
  • Recent pass rate. 0 of 5 passed (need ≥ 66%)
  • Rubric category coverage. 23% average (need ≥ 55%)
  • Consistently weak rubric areas. Investigation, Attack understanding, Containment
Submission · what was sent and how you responded
PhishingDifficulty · easyHigh asset
Suspicious email reported — possible phishing (CEO impersonation)
From
Alice Johnson <alice.johnson@acme-corp.com>
To
soc@acme-corp.com
Date
2026-04-19 09:42 UTC
Hi SOC team, About 20 minutes ago I received what looked like an email from our CEO asking me to review a confidential document. The link took me to a page that looked exactly like our Microsoft 365 login, so I entered my credentials. After I submitted, the page just redirected me to the real office.com. I now think this was a phishing page. The URL I clicked was: https://acme-corp-login[.]net/auth?u=alice I have not told anyone else yet. I am still logged in at my laptop. Please advise on next steps. — Alice (Finance)
Evidence
Proxy & M365 sign-in log excerpt
# Web Proxy (src=10.12.40.88 alice-wks)
09:21:04 GET https://acme-corp-login[.]net/auth?u=alice  200  (TLS, cert: Let's Encrypt, age 3d)
09:21:39 POST https://acme-corp-login[.]net/auth/submit  302
09:21:40 GET https://office.com/  200

# Entra ID sign-in logs (user: alice.johnson@acme-corp.com)
09:22:11  SUCCESS  IP 185.244.25.17 (Netherlands, hosting)  UA: "python-requests/2.31"  MFA: Not challenged (session token replay)
09:22:47  SUCCESS  IP 185.244.25.17  App: Outlook Web  Action: New-InboxRule "archive-all"
Affected asset
Name
alice.johnson@acme-corp.com
Type
Finance user account + workstation (alice-wks)
Owner
Finance Dept · Alice Johnson
Level
High
Your submitted response
101 words
Triage: Confirmed phishing report via headers and URL reputation. Containment: Disabled the affected user account, reset credentials, revoked active sessions and OAuth tokens, blocked the malicious URL at the proxy and email gateway. Investigation: Pulled mailbox audit logs for the user, searched for other recipients of the same lure, checked sign-in logs for anomalous IPs. Recovery: Re-enabled account after MFA re-enrollment and credential rotation. Evidence preservation: Captured the original .eml, sender headers, recipient list, and proxy logs to evidence storage. Communication: Notified the user, manager, and IR lead; logged ticket. Follow-up: Phishing-awareness reminder and rule tuning to catch the lure pattern.
Final score
40/ 100
101 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 40/100. Strongest area: Clarity & structure (71%). Weakest area: Prioritization (0%) — expand this next time.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding1/3 · 5.0 / 15
  • Asset impact2/3 · 6.7 / 10
  • Prioritization0/2 · 0.0 / 10
  • Containment1/5 · 4.0 / 20
  • Investigation2/4 · 7.5 / 15
  • Recovery2/3 · 6.7 / 10
  • Evidence preservation1/3 · 3.3 / 10
  • Clarity & structure1/2 · 7.1 / 10

Strengths

  • Clarity & structure

Missing / weak

  • Attack understanding
  • Prioritization
  • Containment
  • Evidence preservation

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Prioritization0% coverage

    Declare a P1 confirmed compromise and explain why containment beats deep investigation in the first minutes.

  • Containment20% coverage

    Reset password AND revoke sessions / refresh tokens, disable the malicious inbox rule, and block `acme-corp-login[.]net` — partial containment leaves the attacker logged in.

  • Attack understanding33% coverage

    Name this as adversary-in-the-middle / session-token replay (the 09:22 sign-in had no MFA challenge), not just `phishing for a password`.

Model answer outline

From: Incident Response Lead (SOC on-call)To: IT Leadership · Affected Asset Owner · On-call SOCSubject: [SEV-3][INC-CYB-EAD18] Employee reported a suspicious 'CEO' email and entered credentials — status update
Incident · INC-CYB-EAD18 · SEV-3 / P3Status · Investigating — containment in progressCybersecurity · Phishing · Easyalice.johnson@acme-corp.com · High criticalityDetected ~ 2026-04-19 09:42 UTC
Situation & summary

Alice (Finance) was lured by a fake CEO request, entered her credentials on acme-corp-login[.]net, and within a minute her session was replayed from 185.244.25.17 (Netherlands hosting, `python-requests/2.31`) without an MFA challenge. The attacker has already created an `archive-all` inbox rule on Outlook Web — this is an AiTM session-token theft, not just a stolen password.

Severity & priority

Rated SEV-3 / P3. Treat as a P1 confirmed credential compromise on a Finance account: a malicious sign-in already succeeded.

Prioritization & impact
  • Treat as a P1 confirmed credential compromise on a Finance account: a malicious sign-in already succeeded.
  • Containment-first: reset password, revoke active sessions, and review the inbox rule before any forensic deep-dive.
  • Loop in the Identity / M365 admin and Finance management; this account touches sensitive workflows.
Containment (actions taken / in progress)
  • Reset Alice's password and force sign-out everywhere (`Revoke-MgUserSignInSession`) so the stolen refresh token is invalidated.
  • Disable the `archive-all` inbox rule and any new mailbox forwarding rule the attacker added.
  • Block the phishing domain `acme-corp-login[.]net` and the malicious sign-in IP at proxy / Conditional Access; isolate the workstation if you suspect endpoint compromise.
Investigation (in progress)
  • Pull the Entra ID sign-in logs around 09:22 UTC, confirm the `python-requests/2.31` session and the missing MFA challenge (token replay, not interactive sign-in).
  • Audit Alice's mailbox for new inbox rules, auto-forward, OAuth grants, and any messages already auto-archived in the last hour.
  • Cross-check the proxy log for other users who hit `acme-corp-login[.]net` and search the fleet for the same source IP / UA.
  • Pull Alice's recent activity (file access, Teams DMs, sent items) so the impact statement is grounded in evidence, not assumption.
Recovery & next steps
  • Re-enable the account only after password reset, session revocation, and a clean device check.
  • Enforce phishing-resistant MFA / Conditional Access for Finance users (and revisit the AiTM-resistant policy globally).
  • Run a targeted phishing-awareness refresher and add `acme-corp-login[.]net`-style typosquats to user training examples.
Evidence preservation
  • Preserve the original phishing email with full headers (.eml) before anyone deletes it from the mailbox.
  • Export the Entra ID sign-in log, the mailbox audit log, and the proxy session for 185.244.25.17 / `acme-corp-login[.]net`.
  • Capture screenshots / API exports of the malicious inbox rule before disabling it; record hashes / case ID in the ticket.
Stakeholder communication
  • Brief Alice and her manager on what happened, the actions taken, and what she should not do (do not click follow-up `verify your account` mail).
  • Notify Identity / M365 admins and the on-call SOC lead with a short timeline of containment steps.
  • Hold customer-comm unless investigation confirms data accessed via the mailbox; do not over-escalate before scope is known.
Do NOT
  • Do not delete the reported phishing email — preserve it as evidence first.
  • Do not just reset the password without revoking sessions — the stolen refresh token will keep working.
  • Do not wipe Alice's laptop before forensic capture / triage.
  • Do not share the new password over email or chat.

Dangerous actions to avoid

  • Do not delete the reported phishing email — preserve it as evidence first.
  • Do not just reset the password without revoking sessions — the stolen refresh token will keep working.
  • Do not wipe Alice's laptop before forensic capture / triage.
  • Do not share the new password over email or chat.

How to improve next time

  • An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.
  • Always pair password reset with session / refresh-token revocation; one without the other is a half-fix.
  • Auto-created inbox rules (`archive-all`, hidden forwards) are a classic post-AiTM tell — check and preserve them before disabling.
  • Preserve the original phishing email as .eml with full headers before users delete it.
  • Treat the M365 identity, the workstation, and the mailbox as three separate surfaces; each may need its own containment step.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 40/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (71%). Points were held back mostly in Prioritization (0%), Containment (20%), Attack understanding (33%).

Rubric focusprioritizationcontainmentattackUnderstanding
Next study step

Re-read the prioritization expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Prioritization first — it is your weakest rubric area at 0% coverage and carries weight 10. For this scenario: Declare a P1 confirmed compromise and explain why containment beats deep investigation in the first minutes.

Rubric focusprioritization
Next study step

Rewrite your prioritization section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's prioritization, containment, attack understanding guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focusprioritizationcontainmentattackUnderstanding
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 20% of it this time, worth 4 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study prioritization, containment, attack understanding next. Coaching tip for this scenario: An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.

Rubric focusprioritizationcontainmentattackUnderstanding
Next study step

An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Open full notebook →

Save study notes for this attempt. They also collect in your mistake notebook.

Loading notes…