Tier 1 SOC

Phishing Triage Lab

Drop into an inbox of 30 simulated emails. Identify the malicious ones, document the indicators, and escalate the right ones. Your score is graded against a SOC playbook covering phishing, BEC, invoice fraud, and malware delivery.

Inbox size30

Malicious emails10

Benign emails20

Pass mark75%

Inbox

Classify each message, pick a severity, decide whether to escalate, and note the indicators that led you there.

#1 • Action required: Microsoft 365 password expires today

From
it-helpdesk@company-support.com

Preview
Keep your mailbox active by confirming your password within 30 minutes.

Action
Triage and escalate if needed

We detected unusual sign-in errors on your Microsoft 365 account. To avoid mailbox lockout, verify your password immediately at hxxps://microsoft365-companysupport[.]com/login.

Classification

Severity

Escalate

Indicators / analyst notes

#2 • Your package is on the way

From
shipping@fedex.com

Preview
Tracking update for shipment 774920193.

Action
Triage and escalate if needed

Your package departed the local sorting facility and is scheduled for Monday delivery. View tracking details in the FedEx app.

Classification

Severity

Escalate

Indicators / analyst notes

#3 • Updated remittance instructions for April invoice

From
accounts@vend0r-payments.com

Preview
Please use the attached banking details for today's transfer.

Action
Triage and escalate if needed

Hi Finance Team, our bank changed after an audit. Please see attached remittance_form.pdf and route all open invoices to the new account today.

Classification

Severity

Escalate

Indicators / analyst notes

#4 • Open enrollment webinar recording

From
benefits@hr.company.com

Preview
Replay and FAQ links for the benefits session.

Action
Triage and escalate if needed

Thanks for attending the open enrollment session. The webinar recording and FAQ are available on the HR portal.

Classification

Severity

Escalate

Indicators / analyst notes

#5 • Need a favor before the board call

From
ceo-office@company-mail.com

Preview
Can you purchase 10 gift cards in the next 15 minutes?

Action
Triage and escalate if needed

I'm heading into the board call and need Apple gift cards for client appreciation. Reply with the codes only, keep this private, and do not call because I'm tied up.

Classification

Severity

Escalate

Indicators / analyst notes

#6 • Weekly standup invitation

From
zoom@zoom.us

Preview
Monday recurring meeting invite.

Action
Triage and escalate if needed

You have been invited to the weekly engineering standup. Join via the standard Zoom client using your calendar link.

Classification

Severity

Escalate

Indicators / analyst notes

#7 • Completed: NDA for Northwind Labs

From
docs@docusign.net

Preview
A document you signed has been completed.

Action
Triage and escalate if needed

This message confirms the NDA package has been completed and stored in your DocuSign account. No action is required.

Classification

Severity

Escalate

Indicators / analyst notes

#8 • Unusual sign-in attempt blocked

From
security@okta-alerts.com

Preview
Review your device list now.

Action
Triage and escalate if needed

We blocked a sign-in attempt from Moscow. Review devices here: hxxps://okta-alerts-company[.]com/device-review to keep your access.

Classification

Severity

Escalate

Indicators / analyst notes

#9 • This week in cyber

From
news@substack.com

Preview
Fresh posts from newsletters you follow.

Action
Triage and escalate if needed

Here are the latest posts from newsletters you subscribed to. Manage subscriptions from your Substack account.

Classification

Severity

Escalate

Indicators / analyst notes

#10 • April payslip available

From
payroll@company.com

Preview
Your payslip is ready in Workday.

Action
Triage and escalate if needed

Your monthly payslip is now available in Workday. Use the normal employee portal to view it.

Classification

Severity

Escalate

Indicators / analyst notes

#11 • Shared file: Q2 workforce planning

From
sharedfiles@dropboxbusiness-support.com

Preview
Protected HTML attachment included.

Action
Triage and escalate if needed

Please open the attached Review_Document.html and sign in with Microsoft to decrypt the secure file.

Classification

Severity

Escalate

Indicators / analyst notes

#12 • Dependabot found 2 vulnerable dependencies

From
alerts@github.com

Preview
Review suggested fixes in your repository.

Action
Triage and escalate if needed

Dependabot found vulnerable packages in your repository and opened pull requests with version bumps.

Classification

Severity

Escalate

Indicators / analyst notes

#13 • Scan to email from Xerox 7845

From
printer-room-3@company.com

Preview
Attachment: scan_20260418.pdf

Action
Triage and escalate if needed

Please find attached your scanned document from the office multifunction printer.

Classification

Severity

Escalate

Indicators / analyst notes

#14 • Re: PO 44891 updated quote

From
procurement@trusted-supplier.com

Preview
Attached is the revised quote and lead time.

Action
Triage and escalate if needed

Per your request, attached is the revised quote for PO 44891. Lead time remains 14 business days.

Classification

Severity

Escalate

Indicators / analyst notes

#15 • VPN profile update required

From
vpn-team@secureconnect-company.net

Preview
Install the attached patch before remote work today.

Action
Triage and escalate if needed

Remote users must install the attached VPN_Update.zip and run update.html to restore connectivity after the weekend maintenance window.

Classification

Severity

Escalate

Indicators / analyst notes

#16 • Event changed: Partner sync moved to 3:30 PM

From
calendar-notify@google.com

Preview
Updated calendar invitation.

Action
Triage and escalate if needed

The meeting organizer changed the time of Partner sync to 3:30 PM UTC. See Google Calendar for details.

Classification

Severity

Escalate

Indicators / analyst notes

#17 • Adobe Sign document pending

From
support@adobe-mail.com

Preview
Open attached PDF to review the agreement.

Action
Triage and escalate if needed

Open the attached PDF and click the embedded secure button to log in and view the document.

Classification

Severity

Escalate

Indicators / analyst notes

#18 • New comment on your PowerPoint

From
office@microsoft.com

Preview
A teammate mentioned you in a slide deck.

Action
Triage and escalate if needed

A teammate left a comment on the project deck. Open the normal Office notification center to review.

Classification

Severity

Escalate

Indicators / analyst notes

#19 • Water shutdown on level 4 tonight

From
facilities@company.com

Preview
Planned maintenance notice.

Action
Triage and escalate if needed

Facilities will shut off water on level 4 tonight from 8 PM to 10 PM for pipe maintenance.

Classification

Severity

Escalate

Indicators / analyst notes

#20 • Itinerary change and secure travel doc

From
travel-desk@company-travel.net

Preview
Open attachment to see airline schedule change.

Action
Triage and escalate if needed

Attached is your updated itinerary in Itinerary_Change.xlsm. Enable content to display the refreshed flight schedule and e-ticket barcode.

Classification

Severity

Escalate

Indicators / analyst notes

#21 • Task assigned: finalize sponsor pricing page

From
notifications@asana.com

Preview
You were assigned a new task in Asana.

Action
Triage and escalate if needed

You were assigned a task in Asana. Review from the normal Asana workspace.

Classification

Severity

Escalate

Indicators / analyst notes

#22 • Wire this before noon

From
accounts-payable@company.co

Preview
I'm in transit, keep this between us.

Action
Triage and escalate if needed

Can you process a same-day wire for the new partner? I'm boarding now, so just confirm once sent. Don't call, I'll explain later.

Classification

Severity

Escalate

Indicators / analyst notes

#23 • You were mentioned in #ops

From
noreply@slack.com

Preview
Open Slack to see the conversation.

Action
Triage and escalate if needed

Someone mentioned you in #ops. Open Slack normally to respond.

Classification

Severity

Escalate

Indicators / analyst notes

#24 • Secure voicemail attached

From
alerts@box-notify.com

Preview
Download the voice message and sign in to hear it.

Action
Triage and escalate if needed

A voicemail was left for you. Open VoiceMessage.zip and launch ListenNow.html to access the recording.

Classification

Severity

Escalate

Indicators / analyst notes

#25 • Your weekly campaign digest

From
marketing@hubspot.com

Preview
Performance snapshot for your campaigns.

Action
Triage and escalate if needed

This week's campaign digest is ready in HubSpot. View the dashboard using your saved login.

Classification

Severity

Escalate

Indicators / analyst notes

#26 • Receipt for your payment

From
service@paypal.com

Preview
If you did not authorize this, review immediately.

Action
Triage and escalate if needed

We noticed a payment of $899.99 to Coinbyte Gift Services. If this was not you, call 1-888-555-0192 or open the resolution page at hxxps://paypal-resolutiondesk[.]com.

Classification

Severity

Escalate

Indicators / analyst notes

#27 • INC-10492 resolved

From
service-now@company.com

Preview
Your ticket has been closed.

Action
Triage and escalate if needed

ServiceNow ticket INC-10492 has been resolved. Reopen the ticket from the normal portal if the issue persists.

Classification

Severity

Escalate

Indicators / analyst notes

#28 • Confluence page shared with you

From
updates@atlassian.com

Preview
Review the new shared page.

Action
Triage and escalate if needed

A page was shared with you in Confluence. Use the standard Atlassian workspace to view it.

Classification

Severity

Escalate

Indicators / analyst notes

#29 • Billing exception detected on your AWS account

From
billing@aws-team-mail.com

Preview
Open the secure report to avoid service disruption.

Action
Triage and escalate if needed

Review the attached AWS_Billing_Report.html and sign in to validate the flagged charges before your resources are suspended.

Classification

Severity

Escalate

Indicators / analyst notes

#30 • Your design export is ready

From
hello@canva.com

Preview
Download the PNG from Canva.

Action
Triage and escalate if needed

Your requested design export is ready in Canva. Open Canva normally to download the PNG.

Classification

Severity

Escalate

Indicators / analyst notes

SOC playbook

Escalate all credential harvesting, BEC, invoice fraud, and malware delivery events.
Severity should match likely impact. Malware and executive fraud should trend critical.
Document concrete indicators, not vibes. Domains, attachments, urgency, spoofing, credential lures, and execution steps matter.
Benign emails should not be escalated just because they mention cloud brands or normal workflow tools.

Scoring

50% classification accuracy
20% escalation accuracy
15% severity accuracy
15% indicator quality

If a host website callback is configured, this lab will POST pass/fail and score after grading.