incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogDiagnosticHistoryDashboardCoach Notes
Attempt report

Finance employee scanned 'Free Parking Validation' QR poster in lobby — entered M365 credentials on look-alike page

CybersecurityQR Code PhishingDifficulty · Easy

Attempt 1 of 1 · cmqe9ngqu00000j2asgrz6gzb

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Easy
Sample · 5 recent attempts2 positive4 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts
  • Recent retry improvement trend. Score is improving (+11 pts on later attempts)

Signals blocking advancement

  • Recent average score. 20 / 100 (need ≥ 75)
  • Recent pass rate. 0 of 5 passed (need ≥ 66%)
  • Rubric category coverage. 23% average (need ≥ 55%)
  • Consistently weak rubric areas. Investigation, Attack understanding, Containment
Submission · what was sent and how you responded
QR Code PhishingDifficulty · easyHigh asset
Self-report: scanned a QR poster in the lobby, entered M365 credentials
From
Daniel Park <daniel.park@acme-corp.com>
To
soc@acme-corp.com
Date
2026-05-08 10:47 UTC
Hi SOC, I think I just got phished. Around 10:20 this morning I scanned a printed QR poster taped near the visitor parking sign-in counter. The poster said "Free Visitor Parking Validation — Scan QR to Validate" and looked official. The QR opened a short link in my work iPhone browser, which redirected to a Microsoft 365 sign-in page at m365-validate-acme[.]xyz. I entered my work email and password. The page returned a "thanks" screen and bounced me to office.com. There was no MFA challenge (I think my phone had a cached M365 session). I noticed the wrong domain about 15 minutes later when I looked back at my browser history. The poster is still on the lobby wall as of 10:42. Please advise. I have not changed my password yet — wanted to ask first. — Daniel (Finance)
Evidence
Mobile proxy log + Entra ID sign-in audit + lobby observation
# Corporate mobile proxy log (device=daniel-iphone, BYOD-enrolled)
10:21:08  GET   https://lnk.short-url[.]co/p9k2x                        302
10:21:09  GET   https://m365-validate-acme[.]xyz/auth?u=daniel          200  (TLS, cert: Let's Encrypt, age 6d)
10:21:47  POST  https://m365-validate-acme[.]xyz/auth/submit            302
10:21:48  GET   https://office.com/                                     200

# Phishing domain WHOIS / reputation
m365-validate-acme[.]xyz   registered 2026-05-02 (6 days ago)
                            ns: hosted on low-reputation provider, no MX
                            cert: Let's Encrypt, issued 2026-05-02

# Entra ID sign-in log (user: daniel.park@acme-corp.com)
10:43:22  FAILED  src=23.94.184.55 (US, hosting)  reason=ca_non_compliant_device
                  app: Outlook Web   MFA: Not challenged (request blocked at CA)
                  UA: Edge/Windows (distinct from daniel-iphone)

# Lobby observation (provided by reception lead)
- Poster taped on the wall to the right of the visitor parking sign-in counter.
- Reception did NOT authorize the poster; first noticed by morning shift at 09:30.
- Building CCTV shows an unidentified person in a navy jacket taping the poster up at 18:42 the previous evening.
Affected asset
Name
daniel.park@acme-corp.com
Type
Finance user account (Entra ID) + M365 mailbox + BYOD-enrolled iPhone
Owner
Finance Dept · Daniel Park
Level
High
Your submitted response
88 words
Immediately isolate the affected host from the network to contain the incident and preserve volatile evidence by capturing memory and disk images. Reset and rotate exposed credentials, revoke active sessions and tokens, and block the malicious sender and indicators at the email gateway and firewall. Investigate scope by reviewing authentication logs, mail logs, and endpoint telemetry to find affected accounts and lateral movement. Prioritize business-critical systems first. Recover by restoring validated known-good backups, then monitor for recurrence. Preserve all logs and evidence for post-incident review and notify stakeholders.
Final score
11/ 100
88 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 11/100. Strongest area: Clarity & structure (64%). Weakest area: Attack understanding (0%) — expand this next time.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding0/3 · 0.0 / 15
  • Asset impact0/3 · 0.0 / 10
  • Prioritization1/2 · 5.0 / 10
  • Containment0/4 · 0.0 / 20
  • Investigation0/5 · 0.0 / 15
  • Recovery0/3 · 0.0 / 10
  • Evidence preservation0/3 · 0.0 / 10
  • Clarity & structure1/2 · 6.4 / 10

Strengths

No category reached 70% coverage.

Missing / weak

  • Attack understanding
  • Asset impact
  • Containment
  • Investigation
  • Recovery
  • Evidence preservation

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Containment0% coverage

    Reset password AND revoke sessions AND block the phishing domain at proxy AND remove the poster (after photographing) — all four steps are needed.

  • Attack understanding0% coverage

    Name this as quishing / QR phishing and explain that the lure lives outside email — email URL filters never see it; the credential was harvested via a fake M365 page.

  • Investigation0% coverage

    Pull the corporate mobile proxy log to find other employees who hit the shortener or the phishing domain, audit Daniel's mailbox for follow-up persistence, and review CCTV for the poster timeline.

Model answer outline

From: Incident Response Lead (SOC on-call)To: IT Leadership · Affected Asset Owner · On-call SOCSubject: [SEV-3][INC-CYB-E11FE] Finance employee scanned 'Free Parking Validation' QR poster in lobby — entered M365 credentials on look-alike page — status update
Incident · INC-CYB-E11FE · SEV-3 / P3Status · Investigating — containment in progressCybersecurity · QR Code Phishing · Easydaniel.park@acme-corp.com · High criticalityDetected ~ 2026-05-08 10:47 UTC
Situation & summary

Daniel (Finance) scanned an unauthorized 'Free Parking Validation' QR poster in the office lobby at 10:21, was redirected through a shortener to a Microsoft 365 look-alike at m365-validate-acme[.]xyz, and entered his work credentials. The phishing domain is 6 days old, hosted on a low-reputation provider. An attacker sign-in attempt from 23.94.184.55 at 10:43 was blocked by Conditional Access (non-compliant device), but the credential is still in attacker hands. The poster was hung the previous evening by an unidentified person on CCTV.

Severity & priority

Rated SEV-3 / P3. Treat as a P1 credential compromise on a Finance account even though the attacker sign-in attempt was blocked at CA — the credential is already leaked and attempts will continue.

Prioritization & impact
  • Treat as a P1 credential compromise on a Finance account even though the attacker sign-in attempt was blocked at CA — the credential is already leaked and attempts will continue.
  • Containment-first: reset password, revoke sessions, block the phishing domain at the proxy.
  • Loop in Identity / M365 admin, Finance management, and Facilities / Reception (the poster is still on the wall).
Containment (actions taken / in progress)
  • Reset Daniel's password and force sign-out everywhere so the cached M365 session on the iPhone (and any other device) is invalidated.
  • Block `m365-validate-acme[.]xyz` and the `lnk.short-url[.]co/p9k2x` shortener at the corporate proxy / DNS resolver; add the phishing domain to threat intel feeds.
  • Photograph the poster in situ, then have Facilities remove it; do not let anyone else dispose of it without the photo.
Investigation (in progress)
  • Pull the corporate mobile proxy log for the last 24 hours and search for any other employee who hit `lnk.short-url[.]co/p9k2x` or `m365-validate-acme[.]xyz`.
  • Audit Entra ID sign-in tenant-wide for the attacker IP `23.94.184.55` or the same UA in the last 24 hours.
  • Check Daniel's mailbox for any new inbox rules, OAuth grants, or forwarding added in the last 30 minutes.
  • Review building CCTV for the previous evening (18:30–19:00) to identify the person who taped up the poster, and check other entrances for similar posters.
Recovery & next steps
  • Re-enable Daniel's account after password reset and session revocation; require an interactive MFA on next sign-in.
  • Post a building-wide notice that only Facilities / Reception may put up lobby signage, and brief reception on the poster-removal authority.
  • Run a targeted user-awareness reminder specifically on QR / quishing lures — the email-phishing training does not cover physical lures.
Evidence preservation
  • Photograph the poster in full and close-up of the QR before removing it; keep the original poster as physical evidence in the SOC evidence locker.
  • Export the corporate mobile proxy log entries for Daniel's device and the wider tenant search.
  • Export the Entra ID sign-in log row for the 10:43 attempt, including the CA-block reason.
  • Pull the CCTV clip showing the poster being hung and the morning shift first noticing it.
Stakeholder communication
  • Brief Daniel on what was done and what he should not do (do not enter credentials into any prompt that follows up; do not delete his browser history).
  • Notify the Finance lead, Identity / M365 admin, and the on-call SOC lead.
  • Notify Facilities and Reception so they remove the poster and brief lobby staff on unauthorized signage.
Do NOT
  • Do not throw away or remove the poster before photographing and preserving it as evidence.
  • Do not just tell Daniel `be careful next time` — the credential is already leaked.
  • Do not wipe Daniel's iPhone; no malware has been observed and the credential capture was server-side.
  • Do not share the new password over chat or email — re-deliver via a secure channel.
  • Do not propose `blocking QR codes` generically — block the destination domain at the proxy / DNS.

Dangerous actions to avoid

  • Do not throw away or remove the poster before photographing and preserving it as evidence.
  • Do not just tell Daniel `be careful next time` — the credential is already leaked.
  • Do not wipe Daniel's iPhone; no malware has been observed and the credential capture was server-side.
  • Do not share the new password over chat or email — re-deliver via a secure channel.
  • Do not propose `blocking QR codes` generically — block the destination domain at the proxy / DNS.

How to improve next time

  • Email URL filters do not catch out-of-band lures — posters, stickers, name tags, paper invoices are all outside their visibility.
  • Physical evidence (the poster itself) is part of the investigation chain — photograph in situ, then preserve, then remove.
  • BYOD devices touching M365 are inside the blast radius even if not enrolled in EDR — credential capture happens server-side.
  • A blocked sign-in attempt is still a credential leak — the attacker will try other vectors with the same password.
  • Quishing training is a distinct user-awareness module from email phishing training; the failure mode (trust of physical signage) is different.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 11/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (64%). Points were held back mostly in Containment (0%), Attack understanding (0%), Investigation (0%).

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Re-read the containment expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Containment first — it is your weakest rubric area at 0% coverage and carries weight 20. For this scenario: Reset password AND revoke sessions AND block the phishing domain at proxy AND remove the poster (after photographing) — all four steps are needed.

Rubric focuscontainment
Next study step

Rewrite your containment section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's containment, attack understanding, investigation guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 0% of it this time, worth 0 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study containment, attack understanding, investigation next. Coaching tip for this scenario: Email URL filters do not catch out-of-band lures — posters, stickers, name tags, paper invoices are all outside their visibility.

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Email URL filters do not catch out-of-band lures — posters, stickers, name tags, paper invoices are all outside their visibility.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Open full notebook →

Save study notes for this attempt. They also collect in your mistake notebook.

Loading notes…