Edit lab

Editing phish-header-triage

{
  "slug": "phish-header-triage",
  "tags": [
    "phishing",
    "interactive",
    "guided-lab"
  ],
  "flags": [
    {
      "key": "final",
      "value": "ZDL{lookalike-domain-and-fake-relay}"
    }
  ],
  "hints": [
    {
      "id": "hint-1",
      "content": "The sender domain is doing a lookalike trick. Read it slowly, character by character.",
      "penaltyPoints": 0
    },
    {
      "id": "hint-2",
      "content": "The Received chain shows the message was submitted from workstation-77 at 45.67.221.19, which is not what you expect from a normal SaaS billing platform.",
      "penaltyPoints": 5
    }
  ],
  "title": "Suspicious Invoice Header Triage",
  "runtime": {
    "mode": "artifacts_only",
    "cpuLimit": 1,
    "exposePorts": [],
    "templateKey": "phishing-artifact-lab",
    "memoryLimitMb": 512,
    "artifactsMountPath": "/lab/artifacts"
  },
  "summary": "Analyze a suspicious invoice email, identify the spoofing clues, and justify the response like a real analyst.",
  "scenario": "Accounts Payable forwarded a message that claims an invoice must be reviewed before noon to avoid a supplier hold. You need to decide whether it is legitimate, isolate the strongest technical indicators, and recommend the next operational step.",
  "artifacts": [
    {
      "key": "primary",
      "path": "artifacts/phish-header-triage.eml",
      "type": "eml",
      "label": "Suspicious invoice email (.eml)",
      "downloadable": true
    },
    {
      "key": "workbench",
      "path": "artifacts/index.html",
      "type": "text_blob",
      "label": "Browser workbench",
      "downloadable": true
    }
  ],
  "questions": [
    {
      "key": "q1",
      "type": "short_text",
      "answer": "paypa1-secure.com",
      "points": 10,
      "prompt": "Which lookalike sender domain is the clearest phishing indicator?",
      "caseSensitive": false
    },
    {
      "key": "q2",
      "type": "short_text",
      "answer": "workstation-77",
      "points": 10,
      "prompt": "What host name in the Received chain suggests the email was submitted from an end-user system instead of a legitimate vendor mail platform?",
      "caseSensitive": false
    },
    {
      "key": "q3",
      "type": "short_text",
      "answer": "quarantine and escalate",
      "points": 10,
      "prompt": "What should the analyst do next after classifying this message?",
      "caseSensitive": false
    },
    {
      "key": "flag-final",
      "type": "flag",
      "answer": "ZDL{lookalike-domain-and-fake-relay}",
      "points": 20,
      "prompt": "Submit the final lab flag.",
      "caseSensitive": true
    }
  ],
  "trackSlug": "soc-analyst-phishing-email-investigation",
  "difficulty": "beginner",
  "trackTitle": "SOC Analyst – Phishing Email Investigation",
  "instructions": [
    {
      "id": "step-1",
      "title": "Open the live workbench",
      "content": "Use the runtime panel to inspect the rendered evidence page, then download the .eml if you want to validate the raw message yourself."
    },
    {
      "id": "step-2",
      "title": "Triaging headers",
      "content": "Compare the visible sender to the underlying path the message took. Identify the first clue that says this is not normal vendor mail."
    },
    {
      "id": "step-3",
      "title": "Make the analyst call",
      "content": "Decide whether the message should be delivered, quarantined, or escalated. Your answer should reflect the evidence, not just suspicion."
    }
  ],
  "estimatedMinutes": 20,
  "timeLimitMinutes": 30,
  "learningObjectives": [
    "Correlate From, Reply-To, Return-Path, and Received headers instead of trusting the visible sender alone.",
    "Recognize a lookalike domain and explain why it matters in business-email phishing.",
    "Turn raw email evidence into a defensible analyst recommendation."
  ],
  "dbLabId": "83fae2f2-1438-480a-9b87-fcb80677ad35"
}