CTF: The CEO Just Clicked a Phishing Link — What Now?

Difficulty: Beginner–Intermediate | Time: 15–25 min | Linked product: IRP Template ($47)​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​

The Setup

It's 11:40 AM on a Monday. Your CEO, Sandra, gets an email that looks exactly like a Microsoft security alert. Subject: "Unusual sign-in activity on your account — verify now." The sender shows as [email protected] (note: not microsoft.com). Sandra is on her phone, half-listening to a call with her accountant, and clicks the link.

The link takes her to a convincing Microsoft login page. She enters her password. The page then asks for her MFA code. She enters that too. A spinner runs for three seconds. Then: "Your account has been verified. You may close this window."​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​

Sandra continues her call. She doesn't think much of it.

Twenty minutes later, your IT person notices an alert in the M365 admin portal: "Sign-in from unusual location — Lagos, Nigeria." The sign-in was successful. The account being accessed is Sandra's.

This is a Business Email Compromise (BEC) / adversary-in-the-middle phishing attack. The attacker used an Evilginx-style reverse proxy to relay Sandra's credentials and live MFA code in real time. They're in her inbox right now.

What's the next 60 minutes look like?

The Challenge

Question 1 — Immediate actions: The first 10 minutes

List your immediate actions in the first 10 minutes, in order. There are at least five distinct steps. For each, describe the specific mechanism (where in the admin portal, what PowerShell command, etc.) — not just the category of action.

Question 2 — What did the attacker do while they were in?

The attacker had access to Sandra's account for approximately 25 minutes before you detected and responded. What do you check, in what order, to determine what they did during that window? List the specific M365 audit log sources and what each one tells you.

Question 3 — The BEC pivot

Many BEC attacks don't end with credential theft — they end with fina

ncial fraud. Common pivot patterns:

  • (A) Email forwarding rules set to silently copy all incoming email to an external address
  • (B) Financial approval emails intercepted and altered before delivery
  • (C) Supplier impersonation emails sent from Sandra's account to your finance team

For each of the three patterns above: how would you detect whether this happened in Sandra's account during the 25-minute window? What's the first thing you'd check for each?

Question 4 — MFA bypass: The uncomfortable conversation

Sandra had MFA enabled. She was still compromised. What does this tell you about the limitations of TOTP/SMS-based MFA against adversary-in-the-middle attacks? What authentication mechanism would have prevented this specific attack, and how does it work technically?

Question 5 — The phishing email: What to do with it

The original phishing email is still in Sandra's Sent items (the attacker may have sent it from her account) and in her Inbox. You need to:

  • Preserve it as evidence
  • Check whether it was forwarded or sent to other staff
  • Submit it to Microsoft for analysis
  • Potentially notify ACSC

Walk through the steps. What's the difference between a "phishing report" to Microsoft and a formal ACSC report, and when is each appropriate?

Hints

Hint 1 (Q1): In M365, emergency account response has a specific sequence: revoke all active sessions first (this kills the attacker's current access), then reset the password, then check what tokens have been issued. Just resetting the password is not sufficient — an attacker with a live session token remains authenticated even after a password change until the session is explicitly revoked. The command is Revoke-AzureADUserAllRefreshToken (older CLI) or revokeSignInSessions in the MS Graph API.

Hint 2 (Q2): M365's Unified Audit Log captures mail read events, sent items, forwarding rule changes, calendar changes, and file access (if the account has SharePoint). Start with the Unified Audit Log filtered to Sandra's UPN for the 25-minute window. Then check the Inbox Rules specifically — these are often created silently. Then check Sent Items.

Hint 3 (Q3): Forwarding rules: Get-InboxRule -Mailbox [email protected]. BEC financial intercept: check Sent Items for the window — did the attacker send any emails? Supplier impersonation: check whether any outbound emails were sent to your accounts payable team or CFO from Sandra's account during the window.

Hint 4 (Q4): The authentication mechanism that defeats adversary-in-the-middle (AITM) attacks is passkeys / FIDO2 hardware keys (e.g., YubiKey) or certificate-based authentication. These are phishing-resistant because the cryptographic challenge is bound to the origin domain — even if you're on a fake site, the browser refuses to complete the auth because the domain doesn't match. TOTP codes are domain-agnostic — the attacker can relay them to the real site in real time. This is why Microsoft, ACSC, and CISA all recommend phishing-resistant MFA as the upgrade path.

Hint 5 (Q5): Microsoft's phishing submission goes via the Security & Compliance portal > Submissions. ACSC reporting is via ReportCyber (cyber.gov.au/report) or, for significant incidents affecting critical infrastructure or government, directly to ACSC. For a targeted BEC against a small business, ReportCyber is the right path. You're not legally required to report it unless personal data was compromised (NDB scheme), but ACSC intelligence helps protect other Australian businesses.

Reveal: Full Answer to Question 1

First 10 minutes — immediate actions in order:

Minute 0–2: Revoke all active sessions

Do not reset the password first. The attacker has a live session token that survives a password reset. Go to: M365 Admin Center → Users → Sandra's account → Sign-out all sessions. Or use PowerShell:

Connect-MgGraph -Scopes "User.ReadWrite.All"
Revoke-MgUserSignInSession -UserId [email protected]

This immediately terminates all active sessions, including the attacker's. The attacker is now locked out.

Minute 2–4: Reset Sandra's password

After revoking sessions, reset the password to something long and random. Do this from the admin portal, not from Sandra's device (which may still be compromised). Issue the temporary password to Sandra via a phone call — not email.

Minute 4–6: Disable the account temporarily

If you're not ready to give Sandra access back yet (you need to assess her device), disable the account entirely. M365 Admin Center → Users → Block sign-in. This prevents any further authentication even if you've missed a token.

Minute 6–8: Check for inbox rules

This is the step most IR teams skip in the rush of the first response. Open Sandra's account (as admin) in the Exchange Admin Center and run:

Get-InboxRule -Mailbox "[email protected]" | Select-Object Name, Enabled, ForwardTo, RedirectTo, ForwardAsAttachmentTo, DeleteMessage

Look for any rules created in the last two hours. An attacker who creates a forwarding rule and then gets kicked out still has ongoing email access via that rule.

Minute 8–10: Alert your finance team

Call — do not email — your CFO and accounts payable lead. Tell them that Sandra's account was compromised for approximately 25 minutes. Instruct them to call Sandra directly before acting on any financial instructions that came from her email in the last 30 minutes. This is the BEC fraud prevention step. Emails can be spoofed or sent by the attacker — phone verification of financial instructions is your defence.

Why this order?

Session revoke → password reset → disable account → check rules → alert finance. Each step builds on the previous. Alerting finance at minute 1 is fine in parallel, but the technical steps have a critical dependency on the session revoke happening before anything else.

Get the Full Answer Key

You've seen the immediate response sequence in full. The remaining questions — on M365 audit log sources, BEC pivot detection, phishing-resistant MFA mechanics, and ACSC vs Microsoft reporting — are covered in the Incident Response Plan Template for SMBs.

The template includes:

  • BEC response playbook with the specific M365 admin steps
  • M365 audit log query templates (PowerShell and portal)
  • Phishing-resistant MFA upgrade decision guide
  • BEC financial fraud prevention procedure (call-back verification)
  • ACSC ReportCyber submission guide

Get the IRP Template for $47 → lil.business/products/incident-response-plan-template

Or buy via Polar: https://buy.polar.sh/polar_cl_G95ZMX6xnZpa7JuXj1AROgffKr1aL0JDmJ2KU1rHJ84

The Evilginx-style AITM phishing technique is well-documented and actively used against Australian businesses. ACSC Advisory 2023-003 covers adversary-in-the-middle phishing. M365 PowerShell commands are accurate as at April 2026.

What to Do When Hackers Break Into Your Business (Explained Simply)

ELI10 version — real advice, plain language, no jargon.

TL;DR

  • Don't wipe or clean up — that destroys the evidence you need
  • Call your cyber insurer before anyone else, or you might not get paid out
  • Don't pay the ransom until you've checked for free solutions first
  • Get a specialist, not just your regular IT person

Imagine your office is a house. You walk in one morning and the front door is wide open. Drawers are pulled out. Papers everywhere. Someone was definitely here overnight.

What do you do?

Most people's first instinct: clean everything up, make it look normal again, pretend it didn't happen.

That's the worst thing you can do. Here's why.

Why You Shouldn't "Clean Up" First

When police investigate a break-in, they look for fingerprints, footprints, and anything the burglar touched. If you've cleaned the whole house, those clues are gone forever.

Computer forensics works exactly the same way. When investigators look at a hacked computer, they read the "footprints" left in the system — logs, memory, traces of what the attacker did. NIST's federal incident handling standard (SP 800-61r2) specifically requires preserving this evidence before any recovery actions are taken [1]. If you wipe the computer to "fix" it, you destroy all of that.

What to do instead: Pull the network cable out (so no one can still be sneaking around inside) but leave the computer on. Don't delete anything. Don't reformat anything. Just disconnect it from everything else.

Check If Your Spare Key Was Already Copied

Your backups are like a spare copy of everything in your business. But ransomware often breaks in quietly, weeks before anything obvious happens. It sits and waits. Then it strikes.

According to Veeam's 2024 Ransomware Trends Report, 75% of ransomware attacks successfully impacted backup repositories specifically to prevent recovery [2]. That means your backup from last Tuesday might already have the bad stuff inside it. You need to find a backup from before the attackers got in.

Call Your Insurance Company Before Anyone Else

If you have cyber insurance, call them first — before your IT person, before the police, before you start fixing anything. Many insurance policies say: "If you start fixing things before calling us, we won't pay." It's like calling your home insurer before you start rebuilding after a flood.

No cyber insurance? This is exactly what it costs to not have it.

Should You Pay the Ransom?

Ransomware is like a bully who locks your school locker and demands your lunch money for the combination back. The problem: sometimes the bully takes your lunch money and keeps the locker locked anyway. According to Veeam's 2024 report, 1 in 4 businesses that paid still couldn't get their data back [2].

Also important: the U.S. Treasury's OFAC has warned that paying certain ransomware groups may violate federal sanctions law [3].

Before you pay anything: Go to nomoreransom.org [4]. It's a free website run by Europol and police agencies worldwide that has free "unlock codes" for many ransomware programs. You might not need to pay at all.

Your IT Person vs. a Security Specialist

Your regular IT person is skilled at keeping things running. Incident response — figuring out what happened and fixing it properly — is a specialist skill requiring different certifications, different tools, and a completely different approach [1]. Using your IT admin for incident response is like asking the building manager to also investigate the burglary.

After It's Over: Fix the Hole

The break-in happened because there was a way in. Once you're back up and running, you need to find that hole and seal it. That means:

  • Turning on two-factor authentication everywhere (like needing both a key AND a PIN)
  • Getting an expert to check for other weak spots
  • Having a plan written down for next time — because there's always a next time

Your Action Items

  • Save your cyber insurer's emergency number somewhere you can find it in a panic
  • Know where your backups live and when they were last taken
  • Bookmark nomoreransom.org right now [4]
  • Turn on MFA (two-factor login) for your email, banking, and key systems today
  • Know who to call for incident response — lilMONSTER offers a free consult

FAQ

What's the very first thing to do when I get hacked? Disconnect affected computers from your network immediately — pull the cable or turn off Wi-Fi — but do NOT turn them off or wipe them. Then call your cyber insurer before anything else. NIST SP 800-61r2 defines this isolation-without-destruction as the critical first containment step [1].

Why shouldn't I just reformat my computer after a hack? Reformatting destroys the forensic evidence investigators need to understand what happened, what data was accessed, and how the attacker got in. That evidence matters for insurance claims, legal cases, and making sure you don't get hacked the same way again [1].

Is there a free way to get ransomware removed? Often yes — check nomoreransom.org [4] for free decryption tools. This site is run by Europol and major police agencies and covers hundreds of known ransomware strains at no cost.

References

[1] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, "Computer Security Incident Handling Guide," NIST Special Publication 800-61 Revision 2, National Institute of Standards and Technology, Aug. 2012. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

[2] Veeam Software, "2024 Ransomware Trends Report," Veeam Research, 2024. [Online]. Available: https://www.veeam.com/resources/wp-2024-ransomware-trends-executive-summary-apj.html

[3] U.S. Department of the Treasury, "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments," OFAC Advisory, Oct. 2020. [Online]. Available: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

[4] No More Ransom Project (Europol / Dutch National Police), "Free Ransomware Decryption Tools," 2024. [Online]. Available: https://www.nomoreransom.org/

Worried your business isn't ready for this? Book a free consultation with lilMONSTER — we'll help you build a plan before you ever need it. Prevention costs a fraction of recovery.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation