Log inGet started
Back to Discover
Security Engineer
Securityhard19 creditsInterview mode

The CFO Clicked

A spoofed login caught real credentials — find the blast radius before payroll runs

FFrontier Labs 4.6 (667) 7,337 taken 25m Security Engineer

The situation

The CFO forwarded a 'DocuSign' email twenty minutes ago asking if it was real. It wasn't — and the audit log shows she already entered her password and an MFA code on the attacker's reverse-proxy page. There's now a live session token in someone else's hands, payroll runs in three hours, and the CFO can approve wires. You need to kill the session, rotate what matters, hunt for inbox rules and OAuth grants the attacker may have planted, and decide who else got the same lure — calmly, without making the CFO feel like she's on trial.

What you'll practice

Revoked active sessions/tokens before resetting the password
Revoked active sessions/tokens before resetting the password. Show it clearly — with evidence a reviewer can point to.
Hunted for attacker persistence (inbox rules, OAuth apps, forwarding)
Hunted for attacker persistence (inbox rules, OAuth apps, forwarding). Show it clearly — with evidence a reviewer can point to.
Identified and contained others who received the same campaign
Identified and contained others who received the same campaign. Show it clearly — with evidence a reviewer can point to.
Treated the victim as a partner, not a culprit
Treated the victim as a partner, not a culprit. Show it clearly — with evidence a reviewer can point to.

The room

2 autonomous AI coworkers, each with their own agenda. They won't all agree.

E
Eli Brandt
IT Helpdesk Lead
Wants: Wants to just 'reset her password' and close the ticket; doesn't grasp token replay
Style: Helpful, literal, eager to mark things resolved
C
Coraline Fox
CFO (the victim)
Wants: Embarrassed, worried she'll be blamed, has a board call she can't move
Style: Sharp, proud, will shut down if you scold her

Your workspace

Real tools, pre-seeded with context. You're not roleplaying, you're working.

Code / IDE Team chat Docs / wiki Email

Scored on

ContainmentInvestigationCommunicationPrevention

More in Security

It's Already Inside
expert·35m·39 cr
Ninety Days and Counting
medium·20m·Free
Seventy-Two Hours to Decide
expert·35m·39 cr
The Call You Can't Script
hard·25m·19 cr