MFA Fatigue: The Notification Flood
In this guided walkthrough, you will investigate a sophisticated identity-led intrusion. An attacker leveraged social engineering via Microsoft Teams and MFA push-bombing to 'log in' rather than 'break in'. You will analyze SIEM authentication patterns and XDR behavioral data to trace the attacker's path from a simple voice call to full environment compromise.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identifying the Cloud Resource Transfer Technique
15An alert was triggered at 2026-03-14T11:00:00Z involving the unauthorized movement of resources within our cloud environment. You need to examine the security alerts for the Azure-AD-Tenant to identify how the attacker attempted to exfiltrate or transfer these resources to an external account.
Identifying the Initial Access Vector
15An alert was triggered for user l.smith involving a suspicious attachment. Investigate the XDR panel to determine how the attacker initially gained access to the workstation and find the mapped technique ID.
Identifying Suspicious Post-Exploitation Execution
15An automated alert triggered on corp-wks-102 indicating an unusual process execution following a login by l.smith. Investigate the message field in the SIEM panel to determine which command-line interpreter was used to initiate the script.
Investigating Suspicious Network Outbound
15At 2026-03-14T11:00:03.729Z, an alert was triggered for an unusual connection originating from l.smith's workstation. You need to review the raw log data to determine which external infrastructure was being communicated with during this event.
Identifying the Ransomware Technique
15An automated alert triggered at 2026-03-15T01:12:00Z indicating suspicious file modifications on corp-wks-550. You need to examine the XDR panel to determine which high-impact attack technique was automatically mapped by the detection engine.
Identify External Command and Control Connection
15An alert was triggered indicating potential unauthorized outbound traffic from l.smith's workstation. Investigate the XDR Timeline to identify the remote destination address involved in this network event.
6 tasks · 90 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.