Demo Mode

Every screen, flow, export, and remediation path is the real Veri-Guard product. The specific findings, scores, and runbooks shown are curated to illustrate a typical before/after story. Your tenant scan produces your own numbers.

Get started
Veri-Tech
Back to Veri-Vault
Drill bundleVeri-Guardmidmarket · 7 roles6-year WORM retention

Legacy-auth bypass leads to mass mailbox exfiltration

Your scan revealed legacy auth still permitted on 14 active users — this scenario exercises what happens when an attacker exploits that gap.

NIST CSF
Protect / Detect (PR.AC, DE.CM)
Generated at
May 7, 2026, 14:32 UTC
Source job
demo-assessment-0422
Source checksum
sha256:7a4c…e9f1

Run drill — live (demo)

Try the live drill runner — timer, inject Drop buttons, response capture, scoring rubric, the lock flow, AI Coaching feedback simulation, and the spectator URL handoff for attendees. No tokens consumed; no audit record produced. The lock will synthesize a real-looking session checksum (browser SHA-256) so you can see the locked-evidence view.

Open demo runner

Bundle versions & edit history

Draft · editable

This drill bundle is editable until the first session is created. Each save appends a new version (v1, v2, …) with a SHA-256 captured in the audit chain — auditors can see exactly what changed, when, and by whom. The first Run drill click freezes the bundle: whatever version is active at that moment becomes the locked auditor-evidence source for every session that follows.

View version

Sessions started right now will run against v1. The bundle freezes at v1 the first time someone clicks Run drill — make any edits before then.

Legacy-auth bypass leads to mass mailbox exfiltration

Veri-Guard · v1.0.0

Your scan revealed legacy auth still permitted on 14 active users — this scenario exercises what happens when an attacker exploits that gap.

NIST CSFSOC 2 CC7.4ISO 27001 A.5.24HIPAA §164.308(a)(8)
NIST CSF
Protect / Detect (PR.AC, DE.CM)
Duration
60–90 minutes
Injects
5 timed
Rubric
6 criteria

On a Tuesday morning at 06:47 UTC, your SOC tooling fires an alert: a finance VP's mailbox is being accessed via IMAP from an IP geolocated in a country where you have no employees. Conditional Access reports the sign-in was *not* challenged for MFA — because IMAP authenticates via legacy protocols that bypass modern auth policies. By 07:12 UTC, 4 additional finance accounts show similar IMAP sign-ins. Mail flow logs show automated rules forwarding inbound invoices to an external address. By the time the incident commander is paged at 08:30 UTC, the attacker has been resident for 1h43m.

Threat actor: Financially motivated, mid-tier APT proxy (likely TA505-aligned). Goal: BEC pre-positioning + invoice fraud.

Attack chain

  1. 1
    Initial access: Credential stuffing against IMAP endpoint using a leak from a third-party SaaS breach 6 months prior. MFA bypass succeeds because IMAP does not honor Conditional Access.
  2. 2
    Persistence: Attacker creates inbox rules that forward all incoming mail matching invoice/wire/payment keywords to attacker-controlled address; rule is hidden via SOAP-only RuleId.
  3. 3
    Lateral: Attacker pivots laterally by sending phishing from compromised mailbox to the rest of the finance team using internal trust.
  4. 4
    Objective: Attacker waits for a real invoice email, modifies banking instructions in flight, then forwards the modified invoice to AP for payment.

Affected assets

  • Finance VP mailbox (5GB, contains M&A-related correspondence)
  • 4 additional finance team mailboxes
  • AP processing workflow (downstream impact)
  • Reputation with vendors

Linked scan findings

Control IDSeverityFinding
CIS-1.1.2High
Legacy authentication protocols not blocked
EIDSCA-AP03High
Block legacy authentication via Conditional Access
CIS-3.3.1Medium
External mail forwarding not denied at organization level

Generated from Veri-Guard scan demo-assessment-0422 on 2026-05-07. This is facilitator material — verify scenario specifics against your tenant before use. Veri-Tech does not warrant scenario fitness for any specific audit framework; pair with the source scan job (which IS auditor evidence) and your own IR plan.

AI generation provenance

Model
claude-haiku-4-5-20251001
Template version
v1.0.0
Generated at
May 7, 2026, 14:32 UTC
Org-shape snapshot
midmarket · 7 roles frozen at generation time

Auditors verify AI-generation lineage by reading _manifest.json in the source bundle (full token + cache accounting, generation timestamps, SHA-256 cross-references). The auditor ZIP carries it verbatim.

Auditor-grade artifacts

The three audience-tailored downloads below are demo replicas of what a locked session would produce — full Team Debrief PDF, board-packet Executive Brief PDF, and the Auditor ZIP with bundle audit chain + SHA-256 cross-references. The locked session backing these demo artifacts is pre-populated with realistic responses + scores so the PDFs render against meaningful content. Production artifacts ship with a 6-year WORM retention contract on a real Vault tenant; these are clearly watermarked as demo.

Edit history

Draft (editable)

Active version: v1. No sessions have been created yet — the bundle is still editable. The chain freezes at the first session creation.

  1. v1 Facilitator save·May 7, 2026, 14:42 UTC
    By
    demo.facilitator@veri-tech.net
    Bundle hash
    sha256:b9d4c8e3f2a1

    Tightened the T+25 min inject + added missing vendor-coordination workload to the IR plan

    Fields changed (1)
    • injects[1].content
  2. v0 AI baseline·May 7, 2026, 14:32 UTC
    By
    claude-haiku-4-5-20251001
    Bundle hash
    sha256:a8c3b7f2e1d9

Each version’s SHA-256 is captured in the IrTabletopBundleEdited / IrTabletopBundleFrozen audit events (App Insights, 6yr retention) and exported into the auditor ZIP’s manifest.json.

Demo mode: editable-drafts saves never touch a server, no Anthropic tokens are consumed, downloads carry a “DEMO ARTIFACT” watermark in their manifest disclaimer. In production: each save POSTs to /api/ir-tabletop-bundles/{drillId}/versions, computes a real server-side diff + SHA-256, appends to the WORM-protected audit chain, and emits an IrTabletopBundleEdited App Insights event with 6-year retention.