QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR Phishing) attack that bypassed traditional email filters. You will analyze how attackers exploit complex mail routing and misconfigured spoofing protections to deliver malicious lures that appear to originate from within the organization. Your investigation will cover the initial delivery, the bypass of security controls, and the subsequent unauthorized access following a successful credential harvest via a Tycoon2FA intermediary page.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
QR Code Phishing
5Understand the quishing technique and why QR code phishing bypasses traditional email security filters.
The Redirect Server
10Analyze the SIEM and email gateway logs to identify the first redirect server IP that the QR code URL points to.
The Credential Harvesting Server
10Identify the IP address hosting the fake login page where sarah.jenkins submitted her credentials.
Infrastructure Mapping
10Identify the attacker's operational server IP used for post-compromise access with sarah.jenkins's stolen session.
The Phishing Domain
10Identify the domain used to host the phishing email infrastructure and QR code generation system.
Containment
5Review the complete attack chain and understand QR code phishing-specific remediation and containment steps.
6 tasks · 50 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allScattered Spider: Identity-First Attack Chain
Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Black Basta: Email Bomb to Encryption
Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.