Skip to main content
MFA Fatigue: The Notification Flood operation cover
BeginnerSIEMXDR

MFA Fatigue: The Notification Flood

In this guided walkthrough, you will step into the shoes of a SOC analyst investigating a modern identity-based attack. The threat landscape in 2026 has shifted: adversaries are no longer just 'breaking in'—they are logging in. You will analyze real-time identity signals, correlate disparate log sources across a hybrid cloud environment, and identify the markers of an MFA fatigue attack used by the FlowerStorm phishing kit. This scenario highlights the critical importance of behavioral analysis over simple IOC matching in an era of malware-free intrusions and compromised human identities.

30m
6 tasks
50 points
Free

Start this operation

Create your free account and begin immediately.

Get Early Access — Free

Free forever — no credit card required

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

The Phishing Hook

5

Start with the identity attack model: AiTM phishing captures credentials, while MFA fatigue tries to turn repeated push prompts into user approval. Review the primer so the authentication events make sense before investigating.

SOC{...}Hint available
2

The MFA Fatigue Pattern

10

Begin at the authentication layer. Review the burst of unsolicited MFA push activity and identify the MITRE technique that describes repeated MFA request generation used to wear down a user.

SOC{...}Hint available
3

Identifying the Attack Tool

10

Move from identity compromise to endpoint activity. In the XDR process tree for corp-wks-042, follow the attacker-controlled parent process to the child that launched lateral-movement tooling.

SOC{...}Hint available
4

Lateral Movement Discovery

10

Correlate the endpoint process tree with network telemetry. Use SMB activity from the compromised workstation to identify the MITRE lateral-movement technique represented by Windows admin-share access.

SOC{...}Hint available
5

Mapping the Blast Radius

10

Turn the lateral-movement pattern into scope. Compare denied and successful SMB attempts, then identify which workstation actually received an attacker session and staged activity.

SOC{...}Hint available
6

Containment and Lessons Learned

5

Review the full chain from phishing through MFA fatigue, endpoint foothold, lateral movement, and containment. Confirm the response steps that reduce account and host risk after an MFA fatigue compromise.

SOC{...}Hint available

6 tasks · 50 points total

Start investigation

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Beginner

Ideal for newcomers to SOC operations. Guided investigation with clear indicators.

Prerequisites

  • No prior experience required
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts

Ready to investigate?

Create your free account and begin immediately.

Get Early Access — Free

Free forever — no credit card required

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m50 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m50 pts
BeginnerSIEMXDR

ClickFix: The Fake CAPTCHA Trap

The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.

30m40 pts

We use cookies to improve your experience and measure usage. Learn more