foyl Learn · foyl Scenarios

Four live incidents.
One shared SOC.

Every foyl Mock tool is loaded with the same fictional incidents. Work the same attack from the perspective of a SIEM analyst, EDR responder, threat intelligence team, or SOAR engineer — and see how each platform fits into containment.

4 scenarios 10 tools 5 labs MITRE ATT&CK v14.1 Ficsit Inc. · Pioneer Division
CRITICAL RANSOMWARE ACTIVE INV-2024-0087
IRON CHIMNEY

An AiTM phishing email targets marcus.chen (Finance Sr. Manager) via the typosquat domain invoices-ficsit.io. A macro-enabled attachment drops svc32.exe, establishing a C2 beacon to 185.220.101.47. The attacker dumps credentials via LSASS, moves laterally via SMB to RESEARCH-STATION-01, exfiltrates 547 MB over C2 and an additional 14.7 GB via Dropbox through m.blake, then deploys ransomware renaming 847 files with the .IRONLOCK extension. Threat actor TA-001 IRON CHIMNEY (Eastern Europe, RaaS). This is the primary scenario — it surfaces in all ten tools and four labs.

Attack chain
01
Initial Access
AiTM phish via invoices-ficsit.io targeting marcus.chen
T1566.002
02
Execution
Excel macro drops svc32.exe · encoded PowerShell payload
T1059.001
03
Persistence
Registry Run Key created by unsigned process (EDR DET-0031)
T1547.001
04
Cred. Access
LSASS read by svchost32.exe / Mimikatz (EDR DET-0040)
T1003.001
05
Lateral Move
SMB Admin$ from PIONEER-WS-01 → RESEARCH-STATION-01
T1021.002
06
Exfiltration
547 MB over C2 · 14.7 GB to Dropbox via m.blake (CASB DLP-001)
T1041
07
Impact
847 files renamed .IRONLOCK · VSS shadow copies deleted
T1486
Tool involvement — all 10 tools
SIEM
INV-2024-0087 · ALT-7278 · ALT-7287 · ALT-7291 Investigate ↗
EDR
DET-0041 · DET-0040 · DET-0039 · DET-0038 · DET-0037 · +2 Detections ↗
EDR
EP-001 RESEARCH-STATION-01 (isolated, risk 94) Timeline ↗
Email
THREAT-001 · THREAT-004 · THREAT-021 · ATO-001 (pioneer) MailGuard ↗
Identity
RISK-001 · RISK-008 · SI-015 (james.okafor impossible travel) Sign-ins ↗
NGFW
IPS-5821 · IPS-5820 · IPS-5817 · TRF-98177 (573 MB exfil) Threats ↗
CASB
DLP-001 · DLP-011 · DLP-015 · USR-001 m.blake (risk 94) DLP Incidents ↗
SOAR
CASE-2024-0087 · CASE-2024-0267 · PB-001 · PB-003 · PB-006 Cases ↗
TIP
TA-001 IRON CHIMNEY · CAM-001 Operation SMELTING · 12 IOCs Intelligence ↗
Queue
IR-001 · 5 sub-tasks · PIR · DNS sinkhole for IRON CHIMNEY IOCs IR-001 ↗
VM
Post-breach scan · WIN-MCHEN-WS01 (initial breach vector) Vuln Mgmt ↗
Labs that use this scenario
01
Threat Lab
Analyze the phishing email, dissect svc32.exe, write a YARA rule, map the full kill chain
 02
Log Analysis
Triage SIEM alerts · correlate ALT-7287 (exfil) and ALT-7291 (ransomware)
 03
Incident Response
Lead containment: isolate EP-001, revoke sessions, run SOAR PB-001
 04
Networking
Trace lateral movement from PIONEER-WS-01 via SMB Admin$ shares
 05
Vuln Management
Post-breach scan of WIN-MCHEN-WS01 · prioritize and assign remediation
HIGH IDENTITY CONTAINED INV-2024-0086
ATO-002 — MFA Fatigue

m.blake (Michael Blake, Director of Research) is targeted with a credential phishing email (microsoft-secure-signin.com), followed by MFA push bombing from 203.0.113.88 (Taipei, Taiwan). Three pushes are denied; a fourth is approved under fatigue. The attacker gains admin portal access and attempts to disable MFA for the pioneer account — a parallel attack suggesting coordination with IRON CHIMNEY (same threat actor TA-001). SOAR playbook PB-002 triggers automatic lockdown.

Attack chain
01
Phishing
Credential harvest via microsoft-secure-signin.com (MailGuard THREAT-005, blocked)
T1566.001
02
MFA Fatigue
3 push denials → 4th approved · SIEM ALT-7285
T1621
03
Account Access
Admin portal login from 203.0.113.88 Taipei · SIEM ALT-7288
T1078.004
04
Defense Evasion
Attempted MFA disable for pioneer account · SOAR PB-002 blocked
T1556.006
Tool involvement
SIEM
INV-2024-0086 · ALT-7285 (MFA failures) · ALT-7288 (admin login after burst) Investigate ↗
EDR
DET-0036 — admin portal login from external IP 203.0.113.88 Detections ↗
Email
ATO-002 (m.blake · risk 82) · THREAT-005 (credential phish, blocked) ATO Cases ↗
SOAR
CASE-2024-0142 · PB-002 MFA Fatigue Lockdown (node: block 203.0.113.88) Cases ↗
TIP
IOC-002 — 203.0.113.88 attributed to TA-001 · appears in CAM-001 timeline IOCs ↗
HIGH FINANCIAL FRAUD BLOCKED BEC-001
CEO Wire Fraud

A threat actor impersonates CEO M. Reynolds via m-reynolds-ceo@gmail.com and requests a $47,500 wire transfer to Trident Capital Partners LLC from j.whitfield. Foyl MailGuard intercepts THREAT-002. SOAR playbook PB-008 (BEC Wire Fraud Prevention) is triggered — though currently in draft. Identity detects correlated inbox manipulation rules forwarding finance keywords to an external address.

Attack chain
01
Impersonation
Gmail lookalike m-reynolds-ceo@gmail.com
T1583.008
02
BEC Email
Wire request to j.whitfield · $47,500 · Trident Capital Partners
T1566.001
03
Intercepted
MailGuard THREAT-002 blocked · SOAR PB-008 (draft) triggered
T1657
Tool involvement
Email
BEC-001 · THREAT-002 (blocked · gmail impersonation) BEC Cases ↗
Identity
RISK-007 — inbox rule forwarding invoice/wire/payment keywords Protection ↗
SOAR
CASE-2024-0218 · PB-008 BEC Wire Fraud Prevention (draft) Cases ↗
CASB
DLP-002 — j.whitfield WeTransfer to acme-industr1al.com DLP ↗
MEDIUM VENDOR FRAUD INTERCEPTED VF-001
Vendor Fraud

Threat actor TA-002 COBALT MANTIS registers acme-industr1al.com (homoglyph of the real acme-industrial.com) and sends l.park a billing substitution email requesting a bank account change for a $23,847 wire. MailGuard quarantines THREAT-003. Two hours after l.park responds, CASB detects her uploading vendor contracts (acme_nda_2024.pdf, vendor_pricing_q4.xlsx) to personal Google Drive.

Attack chain
01
Domain Spoof
acme-industr1al.com homoglyph registered (TA-002 COBALT MANTIS)
T1583.001
02
Billing Fraud
Bank account change email to l.park · $23,847 wire request
T1566.001
03
Data Exposure
l.park uploads vendor contracts to personal Google Drive (CASB DLP-006)
T1213
04
Intercepted
MailGuard quarantines THREAT-003 · wire transfer blocked
T1657
Tool involvement
Email
VF-001 · THREAT-003 (quarantined · acme-industr1al.com homoglyph) Vendor Fraud ↗
TIP
TA-002 COBALT MANTIS · CAM-002 MANTIS BEC Sweep · IOC-006 · IOC-022 Threat Actors ↗
CASB
DLP-002 · DLP-006 (vendor contracts uploaded by l.park 2h post-phish) DLP ↗