CTF: The CEO Just Clicked a Phishing Link — What Now?
Difficulty: Beginner–Intermediate | Time: 15–25 min | Linked product: IRP Template ($47)
The Setup
It's 11:40 AM on a Monday. Your CEO, Sandra, gets an email that looks exactly like a Microsoft security alert. Subject: "Unusual sign-in activity on your account — verify now." The sender shows as security@microsoft-account.com (note: not microsoft.com). Sandra is on her phone, half-listening to a call with her accountant, and clicks the link.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
The link takes her to a convincing Microsoft login page. She enters her password. The page then asks for her MFA code. She enters that too. A spinner runs for three seconds. Then: "Your account has been verified. You may close this window."
Sandra continues her call. She doesn't think much of it.
Twenty minutes later, your IT person notices an alert in the M365 admin portal: "Sign-in from unusual location — Lagos, Nigeria." The sign-in was successful. The account being accessed is Sandra's.
This is a Business Email Compromise (BEC) / adversary-in-the-middle phishing attack. The attacker used an Evilginx-style reverse proxy to relay Sandra's credentials and live MFA code in real time. They're in her inbox right now.
What's the next 60 minutes look like?
The Challenge
Question 1 — Immediate actions: The first 10 minutes
List your immediate actions in the first 10 minutes, in order. There are at least five distinct steps. For each, describe the specific mechanism (where in the admin portal, what PowerShell command, etc.) — not just the category of action.
Question 2 — What did the attacker do while they were in?
The attacker had access to Sandra's account for approximately 25 minutes before you detected and responded. What do you check, in what order, to determine what they did during that window? List the specific M365 audit log sources and what each one tells you.
Question 3 — The BEC pivot
Many BEC attacks don't end with credential theft — they end with fin
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →- (A) Email forwarding rules set to silently copy all incoming email to an external address
- (B) Financial approval emails intercepted and altered before delivery
- (C) Supplier impersonation emails sent from Sandra's account to your finance team
For each of the three patterns above: how would you detect whether this happened in Sandra's account during the 25-minute window? What's the first thing you'd check for each?
Question 4 — MFA bypass: The uncomfortable conversation
Sandra had MFA enabled. She was still compromised. What does this tell you about the limitations of TOTP/SMS-based MFA against adversary-in-the-middle attacks? What authentication mechanism would have prevented this specific attack, and how does it work technically?
Question 5 — The phishing email: What to do with it
The original phishing email is still in Sandra's Sent items (the attacker may have sent it from her account) and in her Inbox. You need to:
- Preserve it as evidence
- Check whether it was forwarded or sent to other staff
- Submit it to Microsoft for analysis
- Potentially notify ACSC
Walk through the steps. What's the difference between a "phishing report" to Microsoft and a formal ACSC report, and when is each appropriate?
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →Hints
Hint 1 (Q1): In M365, emergency account response has a specific sequence: revoke all active sessions first (this kills the attacker's current access), then reset the password, then check what tokens have been issued. Just resetting the password is not sufficient — an attacker with a live session token remains authenticated even after a password change until the session is explicitly revoked. The command is Revoke-AzureADUserAllRefreshToken (older CLI) or revokeSignInSessions in the MS Graph API.
Hint 2 (Q2): M365's Unified Audit Log captures mail read events, sent items, forwarding rule changes, calendar changes, and file access (if the account has SharePoint). Start with the Unified Audit Log filtered to Sandra's UPN for the 25-minute window. Then check the Inbox Rules specifically — these are often created silently. Then check Sent Items.
Hint 3 (Q3): Forwarding rules: Get-InboxRule -Mailbox sandra@company.com. BEC financial intercept: check Sent Items for the window — did the attacker send any emails? Supplier impersonation: check whether any outbound emails were sent to your accounts payable team or CFO from Sandra's account during the window.
Hint 4 (Q4): The authentication mechanism that defeats adversary-in-the-middle (AITM) attacks is passkeys / FIDO2 hardware keys (e.g., YubiKey) or certificate-based authentication. These are phishing-resistant because the cryptographic challenge is bound to the origin domain — even if you're on a fake site, the browser refuses to complete the auth because the domain doesn't match. TOTP codes are domain-agnostic — the attacker can relay them to the real site in real time. This is why Microsoft, ACSC, and CISA all recommend phishing-resistant MFA as the upgrade path.
Hint 5 (Q5): Microsoft's phishing submission goes via the Security & Compliance portal > Submissions. ACSC reporting is via ReportCyber (cyber.gov.au/report) or, for significant incidents affecting critical infrastructure or government, directly to ACSC. For a targeted BEC against a small business, ReportCyber is the right path. You're not legally required to report it unless personal data was compromised (NDB scheme), but ACSC intelligence helps protect other Australian businesses.
Reveal: Full Answer to Question 1
First 10 minutes — immediate actions in order:
Minute 0–2: Revoke all active sessions
Do not reset the password first. The attacker has a live session token that survives a password reset. Go to: M365 Admin Center → Users → Sandra's account → Sign-out all sessions. Or use PowerShell:
Connect-MgGraph -Scopes "User.ReadWrite.All"
Revoke-MgUserSignInSession -UserId sandra@yourcompany.comThis immediately terminates all active sessions, including the attacker's. The attacker is now locked out.
Minute 2–4: Reset Sandra's password
After revoking sessions, reset the password to something long and random. Do this from the admin portal, not from Sandra's device (which may still be compromised). Issue the temporary password to Sandra via a phone call — not email.
Minute 4–6: Disable the account temporarily
If you're not ready to give Sandra access back yet (you need to assess her device), disable the account entirely. M365 Admin Center → Users → Block sign-in. This prevents any further authentication even if you've missed a token.
Minute 6–8: Check for inbox rules
This is the step most IR teams skip in the rush of the first response. Open Sandra's account (as admin) in the Exchange Admin Center and run:
Get-InboxRule -Mailbox "sandra@yourcompany.com" | Select-Object Name, Enabled, ForwardTo, RedirectTo, ForwardAsAttachmentTo, DeleteMessageLook for any rules created in the last two hours. An attacker who creates a forwarding rule and then gets kicked out still has ongoing email access via that rule.
Minute 8–10: Alert your finance team
Call — do not email — your CFO and accounts payable lead. Tell them that Sandra's account was compromised for approximately 25 minutes. Instruct them to call Sandra directly before acting on any financial instructions that came from her email in the last 30 minutes. This is the BEC fraud prevention step. Emails can be spoofed or sent by the attacker — phone verification of financial instructions is your defence.
Why this order?
Session revoke → password reset → disable account → check rules → alert finance. Each step builds on the previous. Alerting finance at minute 1 is fine in parallel, but the technical steps have a critical dependency on the session revoke happening before anything else.
Get the Full Answer Key
You've seen the immediate response sequence in full. The remaining questions — on M365 audit log sources, BEC pivot detection, phishing-resistant MFA mechanics, and ACSC vs Microsoft reporting — are covered in the Incident Response Plan Template for SMBs.
The template includes:
- BEC response playbook with the specific M365 admin steps
- M365 audit log query templates (PowerShell and portal)
- Phishing-resistant MFA upgrade decision guide
- BEC financial fraud prevention procedure (call-back verification)
- ACSC ReportCyber submission guide
Get the IRP Template for $47 → lil.business/products/incident-response-plan-template
Or buy via Polar: https://buy.polar.sh/polar_cl_G95ZMX6xnZpa7JuXj1AROgffKr1aL0JDmJ2KU1rHJ84
The Evilginx-style AITM phishing technique is well-documented and actively used against Australian businesses. ACSC Advisory 2023-003 covers adversary-in-the-middle phishing. M365 PowerShell commands are accurate as at April 2026.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.