GaboonGrabber Beginner Scenario: The Fundraiser Email
GaboonGrabber Beginner Scenario: The Fundraiser Email
IM Overview
- Malmon: GaboonGrabber
- Setting: Small nonprofit (20 employees), fundraiser campaign launching in 48 hours
- Runtime: 45-75 minutes (Lunch and Learn)
- Players: 4 (pre-generated team included below)
- Difficulty: First session – no prior experience required
M&M has four rules that never change. Everything else is your style.
The Core Loop: You describe symptoms. Players each take one action. You describe results and evolve the threat.
Success Mechanic: Simple actions succeed automatically. Complex actions: roll d20, 5+ easy, 10+ medium, 15+ hard. (See the d20 callout in Round 1.)
Collaboration: Players assisting each other: +1 per assisting player (max +3), or roll two dice and take the higher.
The Goal: Contain the threat using your roles before the Malmon evolves.
Everything else is yours to improvise. How you voice the NPCs. Whether you use the clue prompts verbatim or paraphrase them. How much you linger on a decision point. Whether you use modifiers at all in a first session. The scenario is fully scripted – you never have to improvise. But the best sessions always go somewhere the script did not expect. Follow it. That is M&M working.
These rules are defined in the IM Quick Start Guide. The rest of this scenario teaches you the full system one mechanic at a time.
The Stage 2 ending – where the donor database export completes – is designed to be instructive, not punishing. It shows exactly what was at stake and exactly what the team could have done differently.
Before You Begin
Materials needed:
- This document (print or screen)
- 1 (or more) x d20 die (players can share - or they have their own)
- Role cards for: Detective, Protector, Tracker, Communicator
No other preparation required. Everything – clues, NPC lines, decision points, and resolution endings – is scripted below. Read through once before running. If you have 5 extra minutes, read the Setting the Scene box aloud to yourself.
Every path through this scenario leads somewhere useful. If Stage 2 triggers, the debrief question about Tom becomes sharper, not harder – the team will have clear evidence of exactly what happened and why. You do not need to improvise consequences; they are already scripted. Your only job is to keep the conversation moving. If the room goes quiet for more than 30 seconds, offer the next clue prompt.
Use one of these when a roll misses by 1-3 points. Pick whichever fits the moment.
| Situation | What to say |
|---|---|
| Investigation | “You find what you were looking for – but it raises a question you were not expecting.” |
| Technical | “It works – but slower, or with a side effect. Something had to give.” |
| Social | “They agree, but only halfway. What do you offer to get the rest?” |
| Under pressure | “You get the result – but the delay cost you. The situation moved while you worked.” |
Pre-Generated Team
Hand out role cards and ask: “Which of these sounds most like how you would approach a security incident?” Give players 30 seconds. In practice, most new players do not have strong preferences – that is fine. If nobody steps forward for a role, assign at your discretion. Any combination works; the roles are designed to complement each other.
When the script addresses a clue to a role – “Tracker, the VPN log shows…” – use the player’s actual name instead of the role label. Players are themselves in this scenario.
- Detective – “You always ask who had access and when. Your job is to trace what happened.”
- Situational anchor: You volunteered to help the foundation after last year’s fundraiser. This is the first time you have been called into an actual incident.
- Play as: you ask one more question even when the team is ready to act.
- Protector – “Your instinct is to isolate first, ask questions second. You keep the threat from spreading.”
- Situational anchor: You set up the VPN access for volunteer coordinators like Tom. You want to know if the architecture held.
- Play as: you state the action you want to take, then immediately ask who disagrees.
- Tracker – “You follow the data trail. You want logs and timestamps before anyone acts.”
- Situational anchor: You are the one who flagged the security alert this morning. You forwarded it to Priya at 8:02am.
- Play as: you quote a specific number from the evidence before making any recommendation.
- Communicator – “You keep stakeholders calm and the team aligned. You decide what gets communicated and when.”
- Situational anchor: You manage the donor relationships. If 14,000 records are at risk, you are the one who has to look those donors in the eye.
- Play as: you repeat back what you heard before responding, especially when the news is bad.
Setting the Scene
It is Monday morning at Clearwater Community Foundation, a 20-person nonprofit that runs youth programs across the city. In 48 hours, their annual fundraiser campaign goes live – the one that funds everything for the next 12 months. Director Priya Chen called an emergency meeting: the security monitoring tool flagged unusual activity on Tom Reeves’ workstation overnight. Tom is the volunteer coordinator. He is in the conference room now, sitting near the back, not making eye contact. Priya is at the head of the table. What do you do?
When the Communicator or Detective approaches Tom directly:
“It said my account was locked. I thought I had locked myself out again. I get that message sometimes when I travel. I did not think…” He trails off. He is not defensive. He is embarrassed.
Most rolls succeed. At DC 10 – the default here – players succeed 55% of the time (11-20 on a d20). Partial successes (7-9) advance the story too; only 1-6 creates real friction. The clue tables below give you scripted text for every outcome band.
Use DC 15 once per round at most. At that threshold success drops to 30%. Reserve it for genuinely hard moments – cutting-edge analysis or high-stakes social pressure.
When to skip the dice entirely: Simple, clear actions succeed automatically. The dice are for genuine uncertainty only.
Round 1: What Tom Clicked
Before you start, explain the three steps to your players:
- You describe what the team observes. A situation, a symptom, a piece of information.
- Each player takes one action. What does your character do? Anything realistic counts – ask a question, run a scan, check a log, call someone, isolate a machine.
- You describe what they find, then evolve the situation.
That is the whole game. Everything else builds on those three steps.
Tom’s workstation is still running. The security alert flagged it at 7:58am. The fundraiser donor database is accessible from the network. Priya is in the room, watching the team.
Reactive (player-driven): When a player declares an investigation action that matches a clue below, ask for a d20 roll and read the matching row. The roll determines how much they find and how cleanly.
Proactive (stuck group): If the room has genuinely worked a moment and is still stuck, offer the 10-19 row directly – no roll required. Do not narrate what it means. Describe the finding and let the team draw the conclusion.
A player’s wrong hypothesis – “maybe it is ransomware?” – is more valuable than your next clue. Ask what evidence would confirm or rule it out first.
If players get stuck, offer these clue prompts one at a time:
Clue 1 – Email investigation (proactive: ~3 min; reactive: Detective investigates the email → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “Detective, the email came from noreply@donor-portal-secure.net – sent Sunday at 2:14pm. The link routed through three domains in under a second before landing on a credential harvesting page. This is professional kit.” |
| 10-19 | “Detective, the email came from noreply@donor-portal-secure.net – not from the foundation’s domain. Sent Sunday at 2:14pm. The link redirected through two domains before landing on a credential harvesting page.” |
| 7-9 ◐ | “Detective, the From address is suspicious – noreply@donor-portal-secure.net. But Tom deleted the email. You have the header; tracing the link requires pulling from the mail server.” |
| 1-6 | “Detective, Tom deleted the email when he realized something was wrong. You will need to pull the original from the mail server – another 10 minutes.” |
Clue 2 – Executable analysis (proactive: ~6 min; reactive: Tracker examines Tom’s workstation → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “Tracker, the executable installed at 2:17pm Sunday – three minutes after the email – and has been transmitting to an external IP every 8 minutes. Last transmission: 6 minutes ago.” |
| 10-19 | “Tracker, an executable installed at 2:17pm Sunday – three minutes after the email arrived. Running as a scheduled task under Tom’s user account.” |
| 7-9 ◐ | “Tracker, a suspicious process started at 2:17pm Sunday – running as a scheduled task under Tom’s account. It has disguised itself with a legitimate-looking process name. Cannot confirm it is malicious without deeper analysis.” |
| 1-6 | “Tracker, the executable has disguised itself as a Windows system process. The timestamp shows 2:17pm Sunday but the process name is nearly identical to a legitimate system service. Standard tools will not catch it.” |
Clue 3 – Process analysis (proactive: ~9 min; reactive: Protector examines running processes → DC 15)
| Roll | What you say |
|---|---|
| 20 ★ | “Protector, the process is actively reading browser passwords, session cookies, and form data. Running 18 hours. It also captured Tom’s VPN credentials – the attacker may be able to log in remotely right now.” |
| 10-19 | “Protector, an unfamiliar background process is actively reading browser saved passwords and form data. It has been running for 18 hours.” |
| 7-9 ◐ | “Protector, something is reading Tom’s credential stores – you can see it accessing protected memory. But when you try to capture it, the process pauses. It is monitoring for analysis.” |
| 1-6 | “Protector, the process detects your investigation and terminates. The malware is gone – and so is the forensic evidence. You know it was there; you cannot confirm what it took.” |
When a player attempts something with uncertain outcome – convincing Tom to share his credentials for investigation, isolating a live machine without crashing an open report, pulling VPN logs for the past 24 hours – ask for a d20 roll.
Target numbers:
- Easy (5+): Standard procedures with the right tools – succeed most of the time
- Medium (10+): Complex analysis, uncertain coordination, or working under pressure
- Hard (15+): Cutting-edge techniques, high-stakes decisions, or significant obstacles
Degrees of success:
- Critical (natural 20): Exceptional result – extra information, bonus, or advantage in the next action
- Full success (meets or beats target): Complete achievement
- Partial success (within 3 below target): Useful result with a complication or cost – the story still advances
- Failure (4+ below target): Does not achieve the goal; may create a new complication
Automatic success: Skip the dice entirely when a player’s expertise, the right tools, and a clear plan all line up. The dice are for genuine uncertainty, not a control mechanism.
For most first-session actions, set the target at 10. Only push to 15 when the stakes genuinely warrant it.
NPC interruption:
“I need to know two things before I talk to the board this afternoon. First: is the donor database safe? We have 14,000 donor records in there – names, addresses, giving history, some payment details. Second: can we still launch the fundraiser on Wednesday? Those are the only two questions that matter to me right now.”
She asks exactly two questions and then stops talking. She will not ask a third until she has answers to the first two.
Round 1 Decision Point:
The team must give Priya an initial answer. What do they know, and what do they do about Tom’s machine?
- Option A: Isolate Tom’s workstation now. Take the machine off the network immediately, before investigating further.
- Outcome: The credential harvester loses its network connection. No further data can leave. Tom cannot work for the rest of the day. Investigation continues on an isolated machine. The attacker does not yet have a VPN session – Stage 2 has not triggered.
- Priya: “Good. What do I tell the board about the fundraiser?”
- Option B: Keep the machine running and monitor. Continue investigating without disrupting Tom’s access, hoping to catch the full scope.
- Outcome: Better forensic picture emerges. But during Round 2, the harvested credentials are transmitted to the attacker’s server. The attacker now has Tom’s VPN credentials. Stage 2 may trigger.
Priya checks her watch: “You have until 10am. I need something before the board call.”
- Option C: Reset Tom’s passwords immediately. Change all of Tom’s account credentials right now, even before the investigation is complete.
- Outcome: Harvested credentials are invalidated. The attacker can no longer use them. But the malware is still installed and will begin harvesting the new credentials within minutes unless the machine is also isolated. Follow up with isolation in Round 2.
- Priya: “Will resetting the passwords be enough if we do not isolate the machine too?”
Whichever option they choose, move to Round 2. If they chose Option B, note that credential transmission has occurred.
Round 2: The Donor Database
The workstation situation is clearer. Now the team must determine whether the donor database was accessed – and whether it can safely be left online through the fundraiser.
When two or more players combine their actions toward the same goal:
- +1 per assisting player (maximum +3), or
- Advantage: roll two d20 dice and take the higher result
Either approach works – use advantage when it is cleaner to narrate, use the bonus when stacking precision matters.
Automatic success: When the whole team coordinates clearly with good logic and role division, skip the dice entirely. Perfect collaboration earns it.
Example: the Tracker checks the VPN access logs while the Detective reviews the donor database access history. That is a collaboration – +2 or advantage.
Apply these when they make a moment more real or more interesting – not mechanically:
| Situation | Modifier |
|---|---|
| Action aligns with player’s role | +2 |
| Action misaligns with role | -1 |
| Super effective response type | +2 |
| Not effective response type | -2 |
| Strong security posture supporting action | +2 |
| Significant obstacle | -2 |
| Threat actively evolving | -1 to -3 |
Stacking example: A Tracker (+2 role) pulling VPN logs while the threat is actively evolving (-1 time pressure) rolls at +1.
For a first session: You do not need to apply modifiers at all. Use them when a player does something that should obviously be easier or harder than straight 50/50.
Clue prompts for Round 2:
Clue 4 – VPN log analysis (reactive: Tracker pulls VPN logs → DC 10; state depends on Round 1 outcome)
| Roll | If Option A/C (contained) | If Option B (monitored) |
|---|---|---|
| 20 ★ | “No external login – and you have the exact moment Tom’s machine attempted to transmit and was cut off. The containment was clean.” | “Amsterdam login at 8:23am this morning, 4-minute session. And a second attempt 11 minutes later from the same IP – blocked. The attacker tried twice.” |
| 10-19 | “VPN logs show no external login using Tom’s credentials.” | “VPN logs show a successful login from Amsterdam at 8:23am this morning. Session lasted 4 minutes. The donor database was accessed.” |
| 7-9 ◐ | “Logs look clean but the detail level was set low. You cannot confirm the last 2-hour gap with certainty.” | “Something shows in the VPN logs – unusual session behavior – but the detail level was set low. You know there was activity; you cannot confirm what.” |
| 1-6 | “VPN log retention is 6 hours. You cannot confirm what happened before 3am.” | “VPN log retention is 6 hours. Whatever happened before 3am this morning is gone.” |
Clue 5 – Database access log (no roll – factual reveal based on Round 1 outcome)
If no VPN breach (Option A/C): “The last database access was Tom’s normal check at 9:01am last week. Nothing unusual. No export queries. No bulk operations.”
If VPN breach occurred (Option B): “An export query ran at 8:24am this morning. 14,000 records were queried. Export status: incomplete – the session was terminated before download finished, but query metadata was captured.”
Malmon card reveal trigger:
When players describe “phishing,” “credential harvester,” “Trojan,” or anything close, show them the GaboonGrabber card and say:
“Your analysis confirms this is GaboonGrabber – a credential-stealing Trojan delivered via convincing phishing lures. It harvests saved passwords, browser session tokens, and form data. The goal is not to destroy data – it is to sell or use the credentials for follow-on access.”
If players have not named it by end of Round 2, give them this:
“Your logs confirm this is GaboonGrabber – malware that arrives as a phishing link, installs silently, and systematically harvests every credential it can find on the infected machine.”
Round 2 Decision Point:
Priya needs to make a decision about the fundraiser. The team must advise her:
- Option A: Delay the fundraiser launch by 48 hours. Take the time to fully investigate, reset all donor portal credentials, and confirm the database is clean before going public.
- Outcome: The fundraiser is delayed. Priya is frustrated but accepts the reasoning. Donors receive a brief “technical maintenance” notice. No data is at risk during cleanup. Launch happens Thursday instead of Wednesday.
- Priya: “48 hours. All right. I am calling it ‘system maintenance’ unless you tell me I cannot.”
- Option B: Launch as planned with enhanced monitoring. Proceed Wednesday with additional logging on the donor database and all VPN connections.
- Outcome: The fundraiser launches on time. Monitoring catches one suspicious login attempt Wednesday evening – a second credential that had been harvested from Tom’s email contacts. The team blocks it in real time. Priya is relieved but shaken.
- Priya: “Then we monitor everything. If anything moves, you tell me immediately.”
Round 2 ends. Move to Round 3.
Round 3: Before Wednesday
It is Tuesday afternoon. The immediate threat is contained. Now the team must clean up Tom’s machine, determine whether any other accounts were compromised, and prepare for the fundraiser.
In M&M, some responses are more effective against certain threat types than others.
GaboonGrabber is a Trojan type.
- Super effective: Phishing awareness training + EDR (endpoint detection and response) tools that flag credential-harvesting behavior. This combination prevents the initial install and catches it immediately if it does install.
- Not very effective: Reactive antivirus scanning alone. GaboonGrabber avoids signature-based detection by using legitimate system tools for its harvesting. A scan will find the initial dropper but may miss the payload running as a scheduled task.
- Normal effectiveness: Everything else – credential resets, network isolation, VPN access review.
Final Response Decision:
The team must choose their remediation and prevention approach:
- Option A: Full workstation rebuild + phishing awareness session before Wednesday. Rebuild Tom’s machine from clean image. Run a 30-minute phishing awareness session for all staff before the fundraiser launch. Reset all donor portal credentials.
- Type effectiveness: Super effective
- Outcome: Tom’s machine is clean. Staff leave the session knowing how to spot a fake password reset email. The fundraiser launches with the team confident in their preparation.
- Option B: Malware removal + credential audit + no staff session. Remove the malware manually, audit all credentials that touched Tom’s machine, reset everything. Skip the awareness session – there is not enough time.
- Type effectiveness: Normal effectiveness
- Outcome: Technical remediation succeeds. The fundraiser launches clean. But two weeks later, another staff member clicks a similar phishing email. The pattern continues.
- Option C: Credential reset only for Tom. Reset Tom’s passwords and move on. The fundraiser must launch.
- Type effectiveness: Not very effective
- Outcome: Tom’s credentials are safe. But the malware is still on his machine and will harvest his new credentials within 24 hours. By Thursday morning, the attacker has fresh credentials. The donor database is at risk again.
Resolution:
Wednesday arrives. The fundraiser campaign goes live at 9am. By noon, 400 donors have already given. Tom pulls the Communicator aside before the afternoon check-in: “I looked up that domain name this morning – I should have caught it. I am going to start reading those security emails instead of deleting them.” Priya thanks the team before the end-of-day meeting. The organization enters the fundraiser season knowing it handled a real incident, learned from it, and came out stronger.
The fundraiser launches successfully. Wednesday and Thursday are strong. Two weeks later, development coordinator Kenji receives a nearly identical phishing email while processing donor acknowledgements. He clicks it. The team responds faster this time – they know exactly what to look for. But the pattern is clear: without the awareness session, the organization remains vulnerable to the same lure. Priya schedules a staff training for next month.
Thursday morning, the Tracker’s monitoring alert fires at 6:47am. A VPN session is active using Tom’s credentials – the new ones, reset just two days ago. The attacker has been back on the machine since yesterday. The donor database shows a completed export at 6:51am: 14,000 records. The fundraiser is live. The data is gone. Priya is on the phone with the board. The team has work to do – but this time, they know the attacker’s methods cold. The remediation will be thorough.
Handouts
- Handout A: Phishing Email – Release at the start of Round 1
- Handout B: VPN Access Log – Select version and release at the start of Round 2
Debrief Guide
Standard closing questions (ask all 4):
- “What was the first moment you suspected something was wrong?”
- “Which decision felt hardest, and why?”
- “What would you do differently if this happened at your actual organization?”
- “What is one thing you will remember from today’s session?”
Scenario-specific question:
“Tom’s email looked like it came from a legitimate system. What habits or controls would help your organization catch a fake password reset email before someone clicks it?”
What’s Next
Your group has completed their first M&M session. Here are natural next steps:
More GaboonGrabber scenarios:
- GaboonGrabber: Healthcare Phishing – Healthcare technology firm, HIPAA compliance layer, higher regulatory stakes
- GaboonGrabber: Financial Compliance – Financial services, regulatory reporting, more complex stakeholder structure
- GaboonGrabber: Education Financial Aid – University financial aid office, student data, federal compliance context
Try FakeBat:
- FakeBat Beginner Scenario: Friday Deadline – Malvertising via fake software update, same beginner format, different threat type
Upgrade your prep:
- IM Quick Start Guide – Full reference for session formats, scenario selection, and facilitation techniques
- 5-Minute Prep Template – When you are ready to run without a script