Get Started Free

13.2 The Incident Briefing

2–3 hours · Module 13

Incident INC-2026-0227-001

Before you start investigating, understand the environment and the incident context. This is the information you would receive in a real SOC briefing at shift handover, or in the initial alert notification from your SIEM.

Organisation profile: Northgate Engineering

AttributeValue
Employees~500 across 3 offices (London, Manchester, Edinburgh)
M365 licensingE5 (all users)
Defender stackDefender for Endpoint P2, Defender for Office 365 P2, Defender for Identity, Defender for Cloud Apps, Entra ID P2
SentinelDeployed, Log Analytics workspace, M365 Defender connector, Entra ID connector
Conditional accessMFA required for all users (authenticator app). No device compliance requirement. Legacy auth not explicitly blocked.
MFA methodMicrosoft Authenticator push for all users. No FIDO2. No certificate-based auth.
Managed SOCBlueVoyant provides 24/7 alert monitoring. Internal team handles investigation and response.
IndustryEngineering / manufacturing. Handles sensitive client IP and financial data.
Spot the gaps before the attacker does

Read the organisation profile again. Two critical gaps are visible: no device compliance requirement in conditional access, and no phishing-resistant MFA. If you identified these immediately, you are thinking like an attacker — and like the analyst who needs to harden this environment after the incident.

Incident timeline overview

DayTime (GMT)Event
Day 109:14Wave 1: 23 phishing emails delivered (voicemail lure, finance department)
Day 109:17First user clicks link
Day 109:22Compromised sign-in via AiTM proxy (j.morrison)
Day 109:25Attacker creates inbox rule
Day 109:37ZAP removes email from 4 mailboxes
Day 109:40Defender XDR alert: “Email messages containing malicious URL removed after delivery”
Day 109:42SOC analyst begins triage
Day 109:50Containment complete (sessions revoked, password reset, inbox rule removed)
Day 121:00Wave 2: 41 emails (document sharing lure, all-staff)
Day 209:00Wave 3: 8 emails (IT password reset lure, executives)
Day 306:00Wave 4: 15 emails (benefits lure, HR)
Day 318:00Wave 5: 31 emails (project update lure, engineering)
Day 322:00Campaign concluded. All waves contained. Zero successful replays in Waves 2-5.

Available data sources

For this investigation, you have access to:

Data sourceTable(s)What it provides
Defender for Office 365EmailEvents, EmailUrlInfo, EmailPostDeliveryEvents, UrlClickEventsEmail delivery, URL verdicts, click tracking, ZAP actions
Entra IDSigninLogs, AADNonInteractiveUserSignInLogs, AuditLogsAuthentication events, token activity, directory changes
Defender for Cloud AppsCloudAppEventsInbox rule creation, mail forwarding, file access
Purview AuditOfficeActivity (or unified audit log)MailItemsAccessed, detailed mailbox operations
Defender for EndpointDeviceProcessEvents, DeviceNetworkEventsEndpoint activity (less relevant for this scenario)

MITRE ATT&CK mapping — expected techniques

Based on the AiTM attack pattern, these are the techniques you expect to find:

EXPECTED MITRE ATT&CK TECHNIQUESInitial AccessT1566.002 Spearphishing LinkT1557 AiTMCredential AccessT1539 Steal Web SessionT1078.004 Cloud AccountsPersistenceT1114.003 Email ForwardingT1137 Office App StartupCollectionT1114.002 Remote EmailT1114 Email CollectionDefence EvasionT1564.008 Email Hiding RulesAnti-analysis CAPTCHA on proxyLateral MovementT1534 Internal Spearphishing(attempted in later waves)

Your investigation objectives

At the end of this module, you will have answers to these questions:

  1. How many users were targeted? How many clicked? How many were compromised?
  2. What did the attacker access during the compromise window?
  3. Did the attacker establish persistence (inbox rules, forwarding, OAuth grants)?
  4. Did the attacker send lateral phishing from compromised accounts?
  5. What is the phishing kit’s infrastructure pattern (for blocking future waves)?
  6. What hardening changes prevent this attack from succeeding again?
  7. What detection rules catch this attack pattern automatically?

Try it yourself — before you start

Based on the organisation profile and incident timeline, write down the 3 queries you would run first. Do not look at the next subsection. Think about what data you need and which tables contain it.

An experienced analyst typically starts with these three:

1. Scope the phishing campaignEmailEvents filtered by threat type or sender domain. How many emails, how many recipients, what was the delivery action?

2. Who clicked?UrlClickEvents filtered by the phishing URL. Which users clicked through Safe Links?

3. Token replay checkAADNonInteractiveUserSignInLogs for the clicked users, looking for sign-ins from IPs not in their baseline.

If your list matches, you are thinking like a SOC analyst. If it differs, that is fine — there is more than one valid starting point. The important thing is that you had a plan before executing.

← 13.3 Setting Up Your Investigation 13.1 Understanding AiTM Attacks →