https://tryhackme.com/room/spottingphishing-aoc2025-r2g4f6s8l0
Room created by: tryhackme, rePl4stic, s1moesz
“Since McSkidy’s disappearance, TBFC’s defences have weakened, and now the Email Protection Platform is down.
With filters offline, the staff must triage every suspicious message manually.
The SOC Team suspects Malhare’s Eggsploit Bunnies have sent phishing messages to TBFC’s users to steal credentials and disrupt SOC-mas.”
Now that we have read through the material, we know what to look for. The first email is very convincing, but what do the Headers tell us? “Classify the 1st email, what’s the flag?”
In the room, THM breaks down a similar email with fails as shown. We know this to be spoofing(they are trying to come off as a legitimate company, PayPal). We know the invoice is fake as well. There is a sense of urgency as well because of the formatting of the content, trying to urge users to pay the invoice, or if they do not know of this, to click the various support links.
For the question, “Classify the 2nd email. What’s the flag?”, lucky us, THM breaks this down for us so all we need to do is put the puzzle together!
“Classify the 3rd email. What’s the flag?” For this flag, THM also breaks down the email for us. But what is said does not give the complete answers.
My obvious choice was Impersonation, Sense of Urgency, and Side Channel Communication Attempt(since it says this!), but since that was not taking, I did “Social Engineering Text” instead.
“Classify the 4th email. What’s the flag?” For this email, THM does not cover it, so we will have to use our wits! This one was the hardest one so far, and you really need to look at the headers and email contents to figure it out.
“Classify the 5th email. What’s the flag?” THM breaks down the email “Improve your event logistics in this SOC-mas season” and why it’s Spam. Pretty easy for us!
“Classify the 6th email. What’s the flag?” THM does cover this email of “Chrismtas Laptop Upgrade Agreement” but again, the answers given are not what is expected(honestly not sure why it’s like this).
THM links to another phishing room if you want to check it out: https://tryhackme.com/room/phishingemails3tryoe.
Snippet hightlights:
