Range Scenario · crucible · 25 min
AI-Assisted Phishing Triage: Six Reported Emails
This cybersecurity training scenario simulates a working incident. Six user-reported emails sit in the cybersecurity phishing inbox. An LLM triage assistant scores each. Verify the scores, identify the real attacks, and pick the right response action for each.
Scenario briefing
You are a Tier 1 cybersecurity SOC analyst at a 2,500-employee logistics firm. Users forward suspicious emails to phishing@example.com. An LLM triage assistant reads each email, extracts indicators, scores risk, and proposes a response (release, warn, quarantine, escalate).
Six reports landed this morning. Your job is to verify the LLM output against headers, sender domain reputation, attachment metadata, and link analysis. The LLM is right most of the time but occasionally over-scores marketing email and under-scores well-crafted business email compromise.
This scenario tests phishing tradecraft and the discipline of treating LLM scores as a draft. Sources: NIST SP 800-177r1 (Trustworthy Email, 2019), MITRE ATT&CK T1566 family.
What you will practice
- Read SPF, DKIM, DMARC results from headers
- Distinguish brand impersonation from legitimate marketing email
- Recognize business email compromise patterns the LLM missed
- Map phishing variants to the T1566 sub-technique tree
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Beginner) and your final score percentage.
Frequently asked questions
Why is the LLM weak on business email compromise?
BEC emails are textually plain. They contain no malicious links, no attachments, and no urgent threat language. The LLM trained on overt phishing weights those signals heavily. BEC asks for a wire transfer in a normal tone from a lookalike domain. Header inspection and sender-history checks catch it. Text alone does not.
What email-authentication signals should the LLM verify?
SPF, DKIM, and DMARC results in Authentication-Results headers. A failing DMARC plus a brand-impersonating display name is a strong phishing signal. A passing DMARC from the legitimate domain is strong evidence the email is legitimate, even if the body looks suspicious to a generic LLM scorer.
Why not auto-quarantine everything the LLM flags?
False positives erode user trust and train people to bypass reporting. The triage workflow uses LLM scores to rank queue position and propose action. The analyst makes the release/quarantine call. Auto-action is reserved for very-high-confidence signatures, not LLM probabilistic scores.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.