
MFA Fatigue: The Notification Flood
In this guided walkthrough, you will step into the shoes of a SOC analyst investigating a modern identity-based attack. The threat landscape in 2026 has shifted: adversaries are no longer just 'breaking in'—they are logging in. You will analyze real-time identity signals, correlate disparate log sources across a hybrid cloud environment, and identify the markers of an MFA fatigue attack used by the FlowerStorm phishing kit. This scenario highlights the critical importance of behavioral analysis over simple IOC matching in an era of malware-free intrusions and compromised human identities.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
The Phishing Hook
5Start with the identity attack model: AiTM phishing captures credentials, while MFA fatigue tries to turn repeated push prompts into user approval. Review the primer so the authentication events make sense before investigating.
The MFA Fatigue Pattern
10Begin at the authentication layer. Review the burst of unsolicited MFA push activity and identify the MITRE technique that describes repeated MFA request generation used to wear down a user.
Identifying the Attack Tool
10Move from identity compromise to endpoint activity. In the XDR process tree for corp-wks-042, follow the attacker-controlled parent process to the child that launched lateral-movement tooling.
Lateral Movement Discovery
10Correlate the endpoint process tree with network telemetry. Use SMB activity from the compromised workstation to identify the MITRE lateral-movement technique represented by Windows admin-share access.
Mapping the Blast Radius
10Turn the lateral-movement pattern into scope. Compare denied and successful SMB attempts, then identify which workstation actually received an attacker session and staged activity.
Containment and Lessons Learned
5Review the full chain from phishing through MFA fatigue, endpoint foothold, lateral movement, and containment. Confirm the response steps that reduce account and host risk after an MFA fatigue compromise.
6 tasks · 50 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.
ClickFix: The Fake CAPTCHA Trap
The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.