
Trusted Domain, Untrusted Destination: Open-Redirect Phishing
A finance clerk at Larkfield Mutual Assurance clicks a Release My Messages link in an Undelivered Mails phishing email. The link opens with a trusted brand domain that carries an open-redirect flaw, so it sails past URL filtering. Follow the 302 redirect through an attacker cushion server and a JavaScript hop to a spoofed Microsoft 365 login page, then catch the harvested credentials being replayed against the real tenant. Walk the mail gateway, web proxy, and sign-in logs step by step.
Launches today
Friday, July 3, 2026 at 9:00 AM
Be ready the moment it drops — free forever.
Training Tools
What you'll investigate
6 objectives unlock when this operation goes live.
Be first when it launches
Create your free account now. The moment this operation goes live on Jul 3, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.
Get Started FreeNo credit card required — free forever