Delight Cybersecurity Student Workbook

Incident Response Lab
Operation Hooked Anchor

Enter the access code provided by your instructor

ANTHRO-SEC TRAINING PLATFORM v2.4.1
Initialising simulation engine...
Synthetic network environment mounted
SIEM log database loaded — 14,832 entries
Mail gateway artefacts ready
Azure AD synthetic tenant connected
⚠ INCIDENT DETECTED — IR-2024-0042 — PHISHING COMPROMISE
Launching analyst workstation...
ANTHRO-SEC SOC | Analyst: YOU | Phase: Identification | ● LIVE INCIDENT Score: 0 pts | 09:14:00 UTC
Lab Phases
Objective

You have a live SIEM alert. A finance user clicked a phishing link and credentials may be compromised. Begin your triage.

Score
0
out of 1000 pts
Incident Info
IDIR-2024-0042
SeverityP2 — High
ICMorgan T.
📡 Live Alert Feed
Anomalous login: sarah.m — Bucharest RO — 185.220.101.45
09:17:03 UTC
sarah.m clicked URL — corp-invoice-urgent.xyz
09:14:31 UTC
SPF FAIL on inbound email to finance@corp.local
09:14:18 UTC
DMARC reject bypassed — legacy gateway rule
09:14:19 UTC
🗂️ IOC Register
No IOCs logged yet. Investigate to discover indicators.
💡 Hint
▶ Show hint
Start with the SIEM alert, then examine the phishing email headers and Azure AD sign-in logs.
🎓
Incident Resolved
You completed all 6 phases of the phishing incident response simulation.
0
Score
0/0
Correct
0m
Time
Grade S