incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogDiagnosticHistoryDashboardCoach Notes
Attempt report

Employee reported a suspicious 'CEO' email and entered credentials

CybersecurityPhishingDifficulty · Easy

Attempt 1 of 1 · cmqbdp39300000kyor3n2ojbn

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Easy
Sample · 5 recent attempts2 positive4 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts
  • Recent retry improvement trend. Score is improving (+11 pts on later attempts)

Signals blocking advancement

  • Recent average score. 20 / 100 (need ≥ 75)
  • Recent pass rate. 0 of 5 passed (need ≥ 66%)
  • Rubric category coverage. 23% average (need ≥ 55%)
  • Consistently weak rubric areas. Investigation, Attack understanding, Containment
Submission · what was sent and how you responded
PhishingDifficulty · easyHigh asset
Suspicious email reported — possible phishing (CEO impersonation)
From
Alice Johnson <alice.johnson@acme-corp.com>
To
soc@acme-corp.com
Date
2026-04-19 09:42 UTC
Hi SOC team, About 20 minutes ago I received what looked like an email from our CEO asking me to review a confidential document. The link took me to a page that looked exactly like our Microsoft 365 login, so I entered my credentials. After I submitted, the page just redirected me to the real office.com. I now think this was a phishing page. The URL I clicked was: https://acme-corp-login[.]net/auth?u=alice I have not told anyone else yet. I am still logged in at my laptop. Please advise on next steps. — Alice (Finance)
Evidence
Proxy & M365 sign-in log excerpt
# Web Proxy (src=10.12.40.88 alice-wks)
09:21:04 GET https://acme-corp-login[.]net/auth?u=alice  200  (TLS, cert: Let's Encrypt, age 3d)
09:21:39 POST https://acme-corp-login[.]net/auth/submit  302
09:21:40 GET https://office.com/  200

# Entra ID sign-in logs (user: alice.johnson@acme-corp.com)
09:22:11  SUCCESS  IP 185.244.25.17 (Netherlands, hosting)  UA: "python-requests/2.31"  MFA: Not challenged (session token replay)
09:22:47  SUCCESS  IP 185.244.25.17  App: Outlook Web  Action: New-InboxRule "archive-all"
Affected asset
Name
alice.johnson@acme-corp.com
Type
Finance user account + workstation (alice-wks)
Owner
Finance Dept · Alice Johnson
Level
High
Your submitted response
97 words
Containment: isolate the affected workstation from the network and disable the impacted user account to stop further misuse of the stolen credentials. Investigation: review email gateway and authentication logs to determine whether the credentials were used to sign in and what was accessed. Preserve the phishing email, the message headers, and relevant logs as evidence before making changes. Recovery: reset the user password, revoke active sessions, require MFA, and restore normal access after verification. Communication: notify the security team, the affected employee, and management, and brief the help desk. Follow up with a phishing-awareness reminder to staff.
Final score
33/ 100
97 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 33/100. Strongest area: Clarity & structure (69%). Weakest area: Prioritization (0%) — expand this next time.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding1/3 · 5.0 / 15
  • Asset impact2/3 · 6.7 / 10
  • Prioritization0/2 · 0.0 / 10
  • Containment1/5 · 4.0 / 20
  • Investigation0/4 · 0.0 / 15
  • Recovery2/3 · 6.7 / 10
  • Evidence preservation1/3 · 3.3 / 10
  • Clarity & structure1/2 · 6.9 / 10

Strengths

No category reached 70% coverage.

Missing / weak

  • Attack understanding
  • Prioritization
  • Containment
  • Investigation
  • Evidence preservation

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Investigation0% coverage

    Use Entra sign-in logs, the mailbox audit log, and the proxy log to pin scope; confirm the `python-requests/2.31` UA from 185.244.25.17 and look for other victims of the same domain.

  • Prioritization0% coverage

    Declare a P1 confirmed compromise and explain why containment beats deep investigation in the first minutes.

  • Containment20% coverage

    Reset password AND revoke sessions / refresh tokens, disable the malicious inbox rule, and block `acme-corp-login[.]net` — partial containment leaves the attacker logged in.

Model answer outline

From: Incident Response Lead (SOC on-call)To: IT Leadership · Affected Asset Owner · On-call SOCSubject: [SEV-3][INC-CYB-EAD18] Employee reported a suspicious 'CEO' email and entered credentials — status update
Incident · INC-CYB-EAD18 · SEV-3 / P3Status · Investigating — containment in progressCybersecurity · Phishing · Easyalice.johnson@acme-corp.com · High criticalityDetected ~ 2026-04-19 09:42 UTC
Situation & summary

Alice (Finance) was lured by a fake CEO request, entered her credentials on acme-corp-login[.]net, and within a minute her session was replayed from 185.244.25.17 (Netherlands hosting, `python-requests/2.31`) without an MFA challenge. The attacker has already created an `archive-all` inbox rule on Outlook Web — this is an AiTM session-token theft, not just a stolen password.

Severity & priority

Rated SEV-3 / P3. Treat as a P1 confirmed credential compromise on a Finance account: a malicious sign-in already succeeded.

Prioritization & impact
  • Treat as a P1 confirmed credential compromise on a Finance account: a malicious sign-in already succeeded.
  • Containment-first: reset password, revoke active sessions, and review the inbox rule before any forensic deep-dive.
  • Loop in the Identity / M365 admin and Finance management; this account touches sensitive workflows.
Containment (actions taken / in progress)
  • Reset Alice's password and force sign-out everywhere (`Revoke-MgUserSignInSession`) so the stolen refresh token is invalidated.
  • Disable the `archive-all` inbox rule and any new mailbox forwarding rule the attacker added.
  • Block the phishing domain `acme-corp-login[.]net` and the malicious sign-in IP at proxy / Conditional Access; isolate the workstation if you suspect endpoint compromise.
Investigation (in progress)
  • Pull the Entra ID sign-in logs around 09:22 UTC, confirm the `python-requests/2.31` session and the missing MFA challenge (token replay, not interactive sign-in).
  • Audit Alice's mailbox for new inbox rules, auto-forward, OAuth grants, and any messages already auto-archived in the last hour.
  • Cross-check the proxy log for other users who hit `acme-corp-login[.]net` and search the fleet for the same source IP / UA.
  • Pull Alice's recent activity (file access, Teams DMs, sent items) so the impact statement is grounded in evidence, not assumption.
Recovery & next steps
  • Re-enable the account only after password reset, session revocation, and a clean device check.
  • Enforce phishing-resistant MFA / Conditional Access for Finance users (and revisit the AiTM-resistant policy globally).
  • Run a targeted phishing-awareness refresher and add `acme-corp-login[.]net`-style typosquats to user training examples.
Evidence preservation
  • Preserve the original phishing email with full headers (.eml) before anyone deletes it from the mailbox.
  • Export the Entra ID sign-in log, the mailbox audit log, and the proxy session for 185.244.25.17 / `acme-corp-login[.]net`.
  • Capture screenshots / API exports of the malicious inbox rule before disabling it; record hashes / case ID in the ticket.
Stakeholder communication
  • Brief Alice and her manager on what happened, the actions taken, and what she should not do (do not click follow-up `verify your account` mail).
  • Notify Identity / M365 admins and the on-call SOC lead with a short timeline of containment steps.
  • Hold customer-comm unless investigation confirms data accessed via the mailbox; do not over-escalate before scope is known.
Do NOT
  • Do not delete the reported phishing email — preserve it as evidence first.
  • Do not just reset the password without revoking sessions — the stolen refresh token will keep working.
  • Do not wipe Alice's laptop before forensic capture / triage.
  • Do not share the new password over email or chat.

Dangerous actions to avoid

  • Do not delete the reported phishing email — preserve it as evidence first.
  • Do not just reset the password without revoking sessions — the stolen refresh token will keep working.
  • Do not wipe Alice's laptop before forensic capture / triage.
  • Do not share the new password over email or chat.

How to improve next time

  • An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.
  • Always pair password reset with session / refresh-token revocation; one without the other is a half-fix.
  • Auto-created inbox rules (`archive-all`, hidden forwards) are a classic post-AiTM tell — check and preserve them before disabling.
  • Preserve the original phishing email as .eml with full headers before users delete it.
  • Treat the M365 identity, the workstation, and the mailbox as three separate surfaces; each may need its own containment step.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 33/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (69%). Points were held back mostly in Investigation (0%), Prioritization (0%), Containment (20%).

Rubric focusinvestigationprioritizationcontainment
Next study step

Re-read the investigation expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Investigation first — it is your weakest rubric area at 0% coverage and carries weight 15. For this scenario: Use Entra sign-in logs, the mailbox audit log, and the proxy log to pin scope; confirm the `python-requests/2.31` UA from 185.244.25.17 and look for other victims of the same domain.

Rubric focusinvestigation
Next study step

Rewrite your investigation section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's investigation, prioritization, containment guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focusinvestigationprioritizationcontainment
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 20% of it this time, worth 4 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study investigation, prioritization, containment next. Coaching tip for this scenario: An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.

Rubric focusinvestigationprioritizationcontainment
Next study step

An MFA-protected tenant can still be breached by token replay — assume token theft any time `python-requests` or a hosting-IP appears in a sign-in log.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Open full notebook →

Save study notes for this attempt. They also collect in your mistake notebook.

Loading notes…