Demo Mode

Every screen, flow, export, and remediation path is the real Veri-Guard product. The specific findings, scores, and runbooks shown are curated to illustrate a typical before/after story. Your tenant scan produces your own numbers.

Get started
Veri-Tech
Back to demo bundle viewer
Back to drill bundle
Live drill sessionVeri-GuardDemo · no tokens · no audit record

Legacy-auth bypass leads to mass mailbox exfiltration

Your scan revealed legacy auth still permitted on 14 active users — this scenario exercises what happens when an attacker exploits that gap.

Drill clock0:00

Hand out attendee links — no screen sharing required

At drill kickoff you hand out two URLs so every attendee can follow + participate live from their own device, no Teams call needed:

  • 1Spectator URL — read-only timer + current inject + delivery progress, refreshes every 3 seconds. For observers, security leadership, anyone watching but not participating. Works on a conference-room TV too.
  • 2Participant URL — each attendee picks their role from your org-shape roster and submits their own written answer per inject. Submissions stream onto your facilitator screen in real time, role-tagged. When you Drop the inject, their answers are locked into the evidence record next to the team’s consensus response — full attribution preserved in the auditor ZIP.
Open spectator view in new tab ↗

Demo note: only the spectator URL is wired in the demo. The participant flow requires real auth and your tenant’s org-shape roster, so it doesn’t run client-side.

Scenario

On a Tuesday morning at 06:47 UTC, your SOC tooling fires an alert: a finance VP's mailbox is being accessed via IMAP from an IP geolocated in a country where you have no employees. Conditional Access reports the sign-in was *not* challenged for MFA — because IMAP authenticates via legacy protocols that bypass modern auth policies. By 07:12 UTC, 4 additional finance accounts show similar IMAP sign-ins. Mail flow logs show automated rules forwarding inbound invoices to an external address. By the time the incident commander is paged at 08:30 UTC, the attacker has been resident for 1h43m.

Threat actor + attack chain

Financially motivated, mid-tier APT proxy (likely TA505-aligned). Goal: BEC pre-positioning + invoice fraud.

  1. 1Initial access: Credential stuffing against IMAP endpoint using a leak from a third-party SaaS breach 6 months prior. MFA bypass succeeds because IMAP does not honor Conditional Access.
  2. 2Persistence: Attacker creates inbox rules that forward all incoming mail matching invoice/wire/payment keywords to attacker-controlled address; rule is hidden via SOAP-only RuleId.
  3. 3Lateral: Attacker pivots laterally by sending phishing from compromised mailbox to the rest of the finance team using internal trust.
  4. 4Objective: Attacker waits for a real invoice email, modifies banking instructions in flight, then forwards the modified invoice to AP for payment.

Timed injects

Each inject lists its scheduled trigger time. When the drill clock passes that time, the inject highlights amber as a hint — but YOU pace the drill: click Drop inject to mark it delivered (timestamp captured for the audit record), then capture the team’s response. The “Expected action” line is your facilitator-only debrief reference.

Scheduled · T+10 min

Your SOC analyst pages the on-call IC at 06:52 UTC: 'I see IMAP sign-ins for 5 finance users in the last 10 minutes from a single IP block. They all succeeded MFA bypass. What do you want me to do?' The IC has 90 seconds to give a containment instruction.

Expected action (facilitator-only): IC instructs to block legacy auth via Conditional Access (or via an emergency MFA-required-for-everything CA policy). Captures the decision tree: block immediately vs. observe to scope the breach.

Participant submissions — none yet for inject 1

Share the participant URL to invite team input. Submissions reveal here as they land.

Scheduled · T+25 min

Legal joins the bridge. They ask: 'Was any PHI in the affected mailboxes?' Two of the five mailboxes have HR records that include health benefit elections. Facilitator note (added in v1): if the team cannot answer within the inject window, the IR pre-built escalation tree applies — escalate to the named owner one tier above before the response runs over.

Expected action (facilitator-only): Team documents the §164.402 4-factor analysis: nature of PHI, who accessed, mitigation, probability. Decision on breach notification timing.

Scheduled · T+40 min

Finance team lead notices an invoice they processed yesterday had banking instructions that don't match the vendor's last-known account. The wire was sent. Amount: $84,000.

Expected action (facilitator-only): Team triggers wire-recall procedure with bank within 24-hour window. Documents whether AP has a 'verify by phone before changing banking instructions' SOP. If not, this becomes a Phase-2 remediation item.

Scheduled · T+55 min

Communications lead asks: 'When do we tell employees? Customers? The board?' The compromised VP is going to need to know they were the entry point.

Expected action (facilitator-only): Team documents the comms cascade: internal-first (employees + board notification timeline), then customers if data was exposed, then regulators per §164.404 if breach exceeds 500 individuals.

Scheduled · T+75 min

Wrap-up: hand each participant the scoring rubric and ask for a 1–5 rating on each criterion based on the team's performance during the tabletop.

Expected action (facilitator-only): Rubric scoring captured; weak areas become Phase-2 remediation items.

Scoring rubric

0.00 / 5running average

Rate the team’s performance on each criterion (1 = poor, 5 = excellent). Notes are optional facilitator commentary.

Detection time (alert → IC paged)

weight: 20
Threshold reference
5:
≤5 min
4:
≤15 min
3:
≤60 min
2:
≤4 hr
1:
>4 hr or detected externally

Containment decision quality

weight: 20
Threshold reference
5:
Correct technical block within 5 min of paging, no over-block
4:
Correct block, slight delay or minor over-block
3:
Eventually correct, significant delay
2:
Partial block, leaves entry vector open
1:
Wrong action or no decision

Eradication completeness

weight: 15
Threshold reference
5:
Inbox rules enumerated across ALL mailboxes, all sessions revoked, all tokens rotated
4:
Affected mailboxes scoped completely, rules removed
3:
Affected accounts addressed but no broader sweep
2:
Visible rules removed; hidden rules missed
1:
Account password reset only

§164.402 4-factor analysis

weight: 15
Threshold reference
5:
All 4 factors documented with evidence, decision recorded with timestamps
4:
All 4 factors discussed, partial documentation
3:
Decision made but factors not all documented
2:
Decision made without explicit 4-factor framing
1:
No breach-determination process invoked

Communication cascade

weight: 15
Threshold reference
5:
Cascade documented with named owners + timing per audience
4:
Cascade discussed, owners identified
3:
Audiences identified, owners ambiguous
2:
Only some audiences discussed
1:
No comms plan invoked

Recovery validation

weight: 15
Threshold reference
5:
AP queue audited end-to-end, all open invoices verified, vendor banking re-validated
4:
Affected invoices identified and reconciled
3:
Wire recall attempted but no broader queue audit
2:
Awareness of risk but no action
1:
No recovery validation step invoked

Lock & save

Locking the session writes an immutable, SHA-256-checksummed evidence record into Veri-Vault. Once locked, this session cannot be edited — it becomes the auditor-grade record of the drill alongside the source bundle.

All criteria must be scored before lock — currently scored 0 of 6.