Skip to main content
OneNote Attachment to RAT: A Guided First Investigation operation cover
COMING SOONBeginner

OneNote Attachment to RAT: A Guided First Investigation

A logistics contracts employee at Glacierline Freight opens a phishing email carrying a malicious OneNote notebook. Clicking a fake Open button runs an embedded batch file that chains through cmd.exe and a hidden, encoded PowerShell cradle to download an IcedID loader disguised as an image. Walk the email gateway, file artifacts, and endpoint process tree step by step from the spoofed sender to the C2 beacon.

25m
6 tasks
25 points
Free

Launches today

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

Create your free account

Be ready the moment it drops — free forever.

Training Tools

EmailXDR

What you'll investigate

6 objectives unlock when this operation goes live.

1Brief: a contract that opened a command shell
2Trace the delivery to its sender
3Identify the notebook Priya opened
4Follow the execution chain from the click
5Name the loader that was downloaded and disguised
6Classify the disguise technique

Be first when it launches

Create your free account now. The moment this operation goes live on Jul 3, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.

Get Started Free

No credit card required — free forever