← All Challenges

Invoice Ghost

Forensics 100 pts standard
Challenge Description

The finance department processed a suspicious vendor payment after an email thread changed bank details. You are asked to investigate whether mailbox compromise happened and identify the fraud indicators.

Recover (ignore decoys):

  1. The actual attacker-created mailbox rule name.
  2. The first malicious external login IP tied to rule creation.
  3. The spoofed sender domain used in the successful fraud thread.
  4. The fraudulent payment amount.
  5. The mail folder used to hide forwarded messages.

Flag format: HackCTF{ipaddress_domain_amount_folder-name}

Files
↓ decoy_iocs.txt ↓ email_thread.eml ↓ invoice_metadata.txt ↓ mailbox_rules.json ↓ mixed_case_telemetry.log ↓ noise.log ↓ noise_expanded.log ↓ o365_audit.csv
Hints
View Hint : Hint
  1. Not every suspicious IoC is part of the successful fraud path.
  2. Anchor your timeline on New-InboxRule.
  3. The flag needs the hidden folder name in lowercase with hyphen.
Submit Flag

Login to submit a flag.