Operation Safehouse // Cyber Investigation

Crack the clues. Stop the breach.

A simulated cyberattack is underway. Complete four cybersecurity missions, investigate the evidence, and stop the breach before the attacker escapes.

Begin Mission View Missions

LOCKED

Threat Status: Active

Complete all four missions to fully contain the breach and restore system integrity.

The Breach at SafeCorp

Work through the evidence. Each challenge is designed to be approachable, fast, and memorable while still feeling like a real cyber investigation.

Estimated time: 3–5 minutes

MISSION 01Identify the phishing lure that opened the breach.

Phishing Triage

The attacker sent an urgent message to finance. Inspect the email and identify the suspicious domain used in one of the below sender addresses.

From: Security Team <alerts@microsoft.com>

From: Security Team <alerts@secur-serv.com>

From: Security Team <alerts@secureguardconsuiting.com>

From: Security Team <alerts@fdic.gov>

Subject: Immediate account verification required

Link: https://cnn.com

Your direct deposit details could not be verified. Confirm your account immediately to avoid payment delay. This request expires in 15 minutes.

MISSION 02Find the compromised account in the access logs.

Suspicious Activity Hunt

Four logins occurred overnight. One account authenticated from a suspicious location and then accessed the vault admin panel.

00:12maria.chenDes Moines, IA

01:46dan.patelChicago, IL

02:18evan.millsBucharest, RO

03:04rachel.leeOmaha, NE

MISSION 03Crack the attacker’s password pattern.

Password Cracking Challenge

A breached employee reused a predictable seasonal password pattern. Investigators recovered the following intelligence from the attacker’s notes.

> recovered_hints.txt
Employee initial password setup (unchanged by employee):
- Uses one of the seasons in password
- Typically adds the current year
- Always includes a special character

Password policy:
Minimum 10 characters
Maximum 14 characters

Detected partial and fragmented hash:
*******0***

MISSION 04Identify the insider using the leaked USB device.

Insider Threat Investigation

A USB device containing vault credentials was plugged into a secure workstation. Match the evidence to identify the employee responsible.

Badge Swipe08:11 AMTyler Brooks

Camera Offline08:13 AMNorth Hallway

USB Inserted08:14 AMWorkstation 14

Coffee Purchase08:15 AMAshley Chen

VPN Login08:16 AMMarcus Rivera

Complete Mission 03 first to unlock this final investigation.

Hint: Who was physically present right before the USB was connected?