
Credential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Understanding Credential Harvesting
5Start with the concept before touching the logs: AiTM phishing proxies a real sign-in flow, captures credentials and session material, then lets the attacker act as an already-authenticated user. Read the setup and confirm what evidence proves this is more than simple password theft.
The Phishing Domain
10Two suspicious messages were delivered to alicia.rodriguez, and our gateway flagged one of them. Examine the SIEM email-gateway and DNS logs to identify the primary phishing domain — the lookalike that mimics a legitimate Microsoft sign-in page.
Tracing the Infrastructure
10Now map where the lookalike page was served from. After the redirect chain resolves, review SIEM network and DNS activity for Alicia’s browser and identify the external IP hosting the credential-harvesting infrastructure.
Secondary Phishing Domain
5Expand from Alicia to campaign scope. Search the email-gateway and DNS telemetry for the same phishing pattern against other employees, then identify the additional domain the actor used in the secondary wave.
The Redirect Chain
5Reconstruct the URL path that hid the phishing kit. Follow the first-hop link through the HTTP redirect sequence and identify the intermediary domain that handed the victim to the lookalike login page.
Confirming the Compromise: Azure AD Sign-In Analysis
10Analyze Azure AD sign-in logs to confirm the account takeover and identify the operating system the attacker used to replay alicia.rodriguez's stolen session.
Containment
5Close the case by choosing containment for token theft, not just password exposure. Review the confirmed infrastructure, impossible-travel sign-in, and active session risk, then select the action that evicts the attacker from existing access.
7 tasks · 50 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allQR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.
ClickFix: The Fake CAPTCHA Trap
The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.
MFA Fatigue: The Notification Flood
In this guided walkthrough, you will step into the shoes of a SOC analyst investigating a modern identity-based attack. The threat landscape in 2026 has shifted: adversaries are no longer just 'breaking in'—they are logging in. You will analyze real-time identity signals, correlate disparate log sources across a hybrid cloud environment, and identify the markers of an MFA fatigue attack used by the FlowerStorm phishing kit. This scenario highlights the critical importance of behavioral analysis over simple IOC matching in an era of malware-free intrusions and compromised human identities.