
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.
Start this operation
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
QR Code Phishing
5Start with why quishing works: the email body contains an image rather than a clickable URL, so security controls must decode and inspect the QR payload. Read the setup before following the logs.
The Redirect Server
10Analyze the SIEM and email gateway logs to identify the first redirect server in the phishing chain — the IP address that the decoded QR code URL initially resolves to.
The Credential Harvesting Server
10Trace the victim after the redirect. Review the captured web and identity events to find where the fake Microsoft login page received the credential submission.
Infrastructure Mapping
10Separate phishing delivery infrastructure from post-compromise operations. After the session theft, use sign-in telemetry to identify the server the attacker used to access Microsoft services as Sarah.
The Phishing Domain
10Do not trust the display sender. Inspect headers and supporting gateway telemetry to identify the phishing management domain behind the QR-code campaign infrastructure.
Containment
5Finish with containment for session-cookie theft and mailbox abuse. Review the confirmed server chain, stolen-session activity, and inbox-rule persistence before choosing the action that ends access.
6 tasks · 50 points total
Training Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
Ready to investigate?
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
Malicious npm Package: Postinstall Infostealer
A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.
Fake Window, Real Loss: Browser-in-the-Browser Steam Phishing
A Counter-Strike 2 player on the community team at Voltline Interactive clicks a phishing email offering a free in-game case from the Navi esports team. The link leads to a scam site that paints a fake browser pop-up, complete with a fake Steam URL bar, entirely in HTML. The victim types their Steam credentials into the fake window and the browser sends them to a harvesting host. Walk the email gateway and proxy logs step by step from the lure, through the dedicated host IP and reused page fingerprint, to the credential POST.