student@hack3rs:~$ cat phishing-triage-identity-lab.md
Phishing Triage Lab (Identity + Email + DNS Workflow for Beginners)
Practice a defender-first phishing triage workflow using a safe lab scenario: user report, suspicious link, identity events, and a documented response timeline.
prerequisites
- $Use only systems and networks you own or are explicitly authorized to test.
- $Basic familiarity with networking and logs.
- $Willingness to document evidence and assumptions.
1. Lab Goal and Scenario Scope
This lab teaches how to triage a phishing-style identity event using evidence and a timeline, not panic. The scenario can be simulated with sample logs, fake event lines, or a controlled lab environment you own.
The goal is to practice workflow: user report -> link/domain review -> identity/auth review -> timeline -> containment recommendation -> documentation.
Keep the scenario lab-safe and defensive. You are learning how to investigate and communicate, not how to phish.
2. Evidence Correlation Workflow
Start with the initial signal (user report, suspicious email, or login prompt report). Record timestamp, reported behavior, and what system/account might be involved.
Review DNS/proxy/email clues and identity/auth events in the same time window. Look for repeated MFA prompts, unusual sign-ins, session creation, or strange destinations linked to the report.
Build a short timeline table before recommending containment. This improves clarity and helps you explain your reasoning to teammates.
3. What Good Practice Looks Like
A strong lab outcome is a concise triage note: what was observed, what is suspected, what evidence supports the suspicion, what remains unknown, and what defensive action should happen next.
Practice distinguishing direct evidence from inference. For example, a lookalike domain visit may increase suspicion, but you still need identity and session context before concluding impact.
Repeat the scenario with both benign and suspicious outcomes so you learn not to over-escalate every report.
phishing-triage-lab-checklist
- $Record the initial signal and time window clearly.
- $Correlate email/DNS/web evidence with identity/auth events.
- $Build a timeline before recommending containment.
- $Separate observed evidence from inferred conclusions.
- $Write a short triage note with confidence and next action.
how-to-workflow
- Record the user report or initial phishing signal and define the time window.
- Review related email/DNS/web evidence for suspicious destinations or redirects.
- Review identity/auth events for suspicious sign-ins, MFA prompts, or session creation.
- Build a short timeline table combining the evidence sources.
- Decide on the next defensive action (monitor, contain, reset, revoke session, escalate).
- Write a short evidence-backed triage note.