Skip to main content
Credential Harvesting: The Lookalike Login operation cover
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m
7 tasks
50 points
Free

Start this operation

Create your free account and begin immediately.

Get Early Access — Free

Free forever — no credit card required

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Understanding Credential Harvesting

5

Start with the concept before touching the logs: AiTM phishing proxies a real sign-in flow, captures credentials and session material, then lets the attacker act as an already-authenticated user. Read the setup and confirm what evidence proves this is more than simple password theft.

SOC{...}Hint available
2

The Phishing Domain

10

Two suspicious messages were delivered to alicia.rodriguez, and our gateway flagged one of them. Examine the SIEM email-gateway and DNS logs to identify the primary phishing domain — the lookalike that mimics a legitimate Microsoft sign-in page.

SOC{...}Hint available
3

Tracing the Infrastructure

10

Now map where the lookalike page was served from. After the redirect chain resolves, review SIEM network and DNS activity for Alicia’s browser and identify the external IP hosting the credential-harvesting infrastructure.

SOC{...}Hint available
4

Secondary Phishing Domain

5

Expand from Alicia to campaign scope. Search the email-gateway and DNS telemetry for the same phishing pattern against other employees, then identify the additional domain the actor used in the secondary wave.

SOC{...}Hint available
5

The Redirect Chain

5

Reconstruct the URL path that hid the phishing kit. Follow the first-hop link through the HTTP redirect sequence and identify the intermediary domain that handed the victim to the lookalike login page.

SOC{...}Hint available
6

Confirming the Compromise: Azure AD Sign-In Analysis

10

Analyze Azure AD sign-in logs to confirm the account takeover and identify the operating system the attacker used to replay alicia.rodriguez's stolen session.

SOC{...}Hint available
7

Containment

5

Close the case by choosing containment for token theft, not just password exposure. Review the confirmed infrastructure, impossible-travel sign-in, and active session risk, then select the action that evicts the attacker from existing access.

SOC{...}Hint available

7 tasks · 50 points total

Start investigation

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Beginner

Ideal for newcomers to SOC operations. Guided investigation with clear indicators.

Prerequisites

  • No prior experience required
  • Familiarity with SIEM concepts

Ready to investigate?

Create your free account and begin immediately.

Get Early Access — Free

Free forever — no credit card required

More Operations

View all
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m50 pts
BeginnerSIEMXDR

ClickFix: The Fake CAPTCHA Trap

The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.

30m40 pts
BeginnerSIEMXDR

MFA Fatigue: The Notification Flood

In this guided walkthrough, you will step into the shoes of a SOC analyst investigating a modern identity-based attack. The threat landscape in 2026 has shifted: adversaries are no longer just 'breaking in'—they are logging in. You will analyze real-time identity signals, correlate disparate log sources across a hybrid cloud environment, and identify the markers of an MFA fatigue attack used by the FlowerStorm phishing kit. This scenario highlights the critical importance of behavioral analysis over simple IOC matching in an era of malware-free intrusions and compromised human identities.

30m50 pts

We use cookies to improve your experience and measure usage. Learn more