Skip to main content
QR Code Phishing: Scan to Compromise operation cover
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m
6 tasks
25 points
Free

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

QR Code Phishing

5

Start with why quishing works: the email body contains an image rather than a clickable URL, so security controls must decode and inspect the QR payload. Read the setup before following the logs.

SOC{...}Hint available
2

The Redirect Server

10

Analyze the SIEM and email gateway logs to identify the first redirect server in the phishing chain — the IP address that the decoded QR code URL initially resolves to.

SOC{...}Hint available
3

The Credential Harvesting Server

10

Trace the victim after the redirect. Review the captured web and identity events to find where the fake Microsoft login page received the credential submission.

SOC{...}Hint available
4

Infrastructure Mapping

10

Separate phishing delivery infrastructure from post-compromise operations. After the session theft, use sign-in telemetry to identify the server the attacker used to access Microsoft services as Sarah.

SOC{...}Hint available
5

The Phishing Domain

10

Do not trust the display sender. Inspect headers and supporting gateway telemetry to identify the phishing management domain behind the QR-code campaign infrastructure.

SOC{...}Hint available
6

Containment

5

Finish with containment for session-cookie theft and mailbox abuse. Review the confirmed server chain, stolen-session activity, and inbox-rule persistence before choosing the action that ends access.

SOC{...}Hint available

6 tasks · 50 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Beginner

Ideal for newcomers to SOC operations. Guided investigation with clear indicators.

Prerequisites

  • No prior experience required
  • Familiarity with SIEM concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerEmailSIEM

Fake Window, Real Loss: Browser-in-the-Browser Steam Phishing

A Counter-Strike 2 player on the community team at Voltline Interactive clicks a phishing email offering a free in-game case from the Navi esports team. The link leads to a scam site that paints a fake browser pop-up, complete with a fake Steam URL bar, entirely in HTML. The victim types their Steam credentials into the fake window and the browser sends them to a harvesting host. Walk the email gateway and proxy logs step by step from the lure, through the dedicated host IP and reused page fingerprint, to the credential POST.

25m25 pts