incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogDiagnosticHistoryDashboardCoach Notes
Incident

Finance employee scanned 'Free Parking Validation' QR poster in lobby — entered M365 credentials on look-alike page

CybersecurityDifficulty · Easy
← New scenario
Retry in progress
You have 1 previous attempt for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
QR Code PhishingDifficulty · easyHigh asset
Self-report: scanned a QR poster in the lobby, entered M365 credentials
From
Daniel Park <daniel.park@acme-corp.com>
To
soc@acme-corp.com
Date
2026-05-08 10:47 UTC
Hi SOC, I think I just got phished. Around 10:20 this morning I scanned a printed QR poster taped near the visitor parking sign-in counter. The poster said "Free Visitor Parking Validation — Scan QR to Validate" and looked official. The QR opened a short link in my work iPhone browser, which redirected to a Microsoft 365 sign-in page at m365-validate-acme[.]xyz. I entered my work email and password. The page returned a "thanks" screen and bounced me to office.com. There was no MFA challenge (I think my phone had a cached M365 session). I noticed the wrong domain about 15 minutes later when I looked back at my browser history. The poster is still on the lobby wall as of 10:42. Please advise. I have not changed my password yet — wanted to ask first. — Daniel (Finance)
Evidence
Mobile proxy log + Entra ID sign-in audit + lobby observation
# Corporate mobile proxy log (device=daniel-iphone, BYOD-enrolled)
10:21:08  GET   https://lnk.short-url[.]co/p9k2x                        302
10:21:09  GET   https://m365-validate-acme[.]xyz/auth?u=daniel          200  (TLS, cert: Let's Encrypt, age 6d)
10:21:47  POST  https://m365-validate-acme[.]xyz/auth/submit            302
10:21:48  GET   https://office.com/                                     200

# Phishing domain WHOIS / reputation
m365-validate-acme[.]xyz   registered 2026-05-02 (6 days ago)
                            ns: hosted on low-reputation provider, no MX
                            cert: Let's Encrypt, issued 2026-05-02

# Entra ID sign-in log (user: daniel.park@acme-corp.com)
10:43:22  FAILED  src=23.94.184.55 (US, hosting)  reason=ca_non_compliant_device
                  app: Outlook Web   MFA: Not challenged (request blocked at CA)
                  UA: Edge/Windows (distinct from daniel-iphone)

# Lobby observation (provided by reception lead)
- Poster taped on the wall to the right of the visitor parking sign-in counter.
- Reception did NOT authorize the poster; first noticed by morning shift at 09:30.
- Building CCTV shows an unidentified person in a navy jacket taping the poster up at 18:42 the previous evening.
Affected asset
Name
daniel.park@acme-corp.com
Type
Finance user account (Entra ID) + M365 mailbox + BYOD-enrolled iPhone
Owner
Finance Dept · Daniel Park
Level
High
0 words

Grading is rule-based. Response is compared against a pre-written rubric.