Credential Harvesting: The Lookalike Login
Investigate a sophisticated Tycoon2FA phishing campaign that successfully bypassed standard email security filters. You will analyze Microsoft 365 email headers, identify domain spoofing techniques using 'Reason 905' indicators, and trace the redirection chain to a phishing-as-a-service (PhaaS) landing page. This scenario provides foundational skills for SOC analysts in identifying advanced credential harvesting infrastructure.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Understanding Credential Harvesting
5Learn how Adversary-in-the-Middle phishing with lookalike domains works before investigating the incident.
The Phishing Domain
10Examine the SIEM logs to identify the primary phishing domain used in the attack against Alicia Rodriguez.
Tracing the Infrastructure
10Analyze SIEM network logs to identify the IP address hosting the credential harvesting infrastructure.
Secondary Phishing Domain
10Investigate SIEM logs to identify an additional phishing domain used as part of the attacker's infrastructure.
The Redirect Chain
10Uncover the redirect domain used by the phishing kit to route victims through the attack chain.
Containment
5Review the complete attack chain and understand the remediation steps for this credential harvesting compromise.
6 tasks · 50 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allScattered Spider: Identity-First Attack Chain
Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Black Basta: Email Bomb to Encryption
Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.