Back to Quest Board
🟣

The Enchanted Scroll

Phishing Attack Leading to Network Compromise
P2 — High

A cunning enchantment disguised as a routine missive has ensnared one of your realm's trusted servants. The deception has breached your outer defences, granting dark forces a foothold within the fortress walls. As the scope of the infiltration becomes clear, the race begins to purge the corruption before the enemy plunders your treasury.

45 minutes
DC 13
3 Injects
4–12 Players

Compliance Frameworks

NIST CSF PR.AT ISO 27001 A.7.2.2 DORA Art.13

🛡️ Roles & Party Members

War Chief Required
Incident Commander

Leads the response team, makes containment and escalation decisions

Arcane Engineer Required
IT Operations Lead

Provides technical context, assesses system impact, manages endpoint containment

Shadow Watcher Required
SOC Analyst

Analyses phishing artefacts, traces lateral movement, monitors for further compromise

Keeper of the Codex Required
Compliance / DPO

Assesses data exposure, regulatory notification obligations under GDPR and FCA rules

Town Crier Optional
Communications Lead

Drafts internal warnings to staff, manages external communications if required

Guild Master Optional
HR Representative

Supports affected staff, advises on conduct aspects if negligence is suspected

High Council Elder Optional
Senior Management

Provides executive decision authority, approves client notifications

⚡ Inject Timeline

1
The Poisoned Missive — A Lure Takes Hold
T+0 Minutes

It is 09:15 UTC on a Monday morning. The IT Service Desk receives a call from a relationship manager in the Wealth Management division. They report unusual behaviour on their workstation after clickin...

6 Discussion Prompts 1 Dice Events 4 Possible Complications
2
The Spreading Blight — Lateral Movement Detected
T+20 Minutes

The SOC's investigation escalates. Endpoint Detection and Response (EDR) telemetry reveals that one of the compromised users — a senior relationship manager — had their workstation accessed remote...

6 Discussion Prompts 1 Dice Events 4 Possible Complications
3
The Reckoning — Containment and Recovery
T+35 Minutes

Twelve hours into the incident, containment is underway but significant challenges remain. The threat actor has been ejected from the network, all compromised credentials have been rotated, and affect...

6 Discussion Prompts 1 Dice Events 4 Possible Complications

📋 Debrief Questions

Post-Battle Assessment
  1. Were email security controls adequate to detect and block the phishing campaign?
  2. Was the incident escalation pathway clear and timely?
  3. Were credential compromise procedures effective — including MFA enforcement and password rotation?
  4. How effective was internal communication to staff during the incident?
  5. Were regulatory notification obligations understood and met within required timelines?
  6. What improvements to phishing awareness training are needed?