# FoilLab — Challenge: Phantom Heartbeat
# HTTP proxy access log — 2026-01-22 08:00:00 to 10:00:00 UTC
# Format: [timestamp UTC] client-ip method target-url status bytes user-agent
# Captured by: corp-proxy-01 (Squid 6.x forward proxy)
# ─────────────────────────────────────────────────────────────────────────────

[2026-01-22 08:00:03] 192.168.1.10 GET https://outlook.office365.com/mail/ 200 48291 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:00:07] 192.168.1.15 GET https://login.microsoftonline.com/common/oauth2/token 200 1204 "Microsoft Office/16.0"
[2026-01-22 08:00:11] 192.168.1.22 GET https://slack.com/api/rtm.connect 200 892 "Slack/4.35 (Win64)"
[2026-01-22 08:00:14] 192.168.1.88 GET https://erp.company.local/dashboard 200 12048 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:00:18] 192.168.1.31 GET https://github.com/nikolap994 200 34821 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:00:22] 192.168.1.55 GET https://fonts.googleapis.com/css2?family=Inter 200 4210 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:01:01] 192.168.1.10 GET https://teams.microsoft.com/api/mt/part/emea-02/beta/users/presence 200 340 "Teams/1.6"
[2026-01-22 08:01:08] 192.168.1.22 GET https://api.slack.com/api/users.getPresence 200 128 "Slack/4.35 (Win64)"
[2026-01-22 08:01:14] 192.168.1.15 GET https://graph.microsoft.com/v1.0/me/messages 200 8841 "Microsoft Office/16.0"
[2026-01-22 08:01:19] 192.168.1.88 GET https://erp.company.local/api/invoices?page=1 200 5512 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:01:33] 192.168.1.31 GET https://api.github.com/repos/nikolap994/foilguard 200 2841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:02:02] 192.168.1.10 GET https://outlook.office365.com/mail/inbox 200 52341 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:02:11] 192.168.1.55 GET https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.min.js 200 198421 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:02:18] 192.168.1.22 GET https://wss-primary.slack.com/ 101 0 "Slack/4.35 (Win64)"
[2026-01-22 08:02:31] 192.168.1.88 GET https://erp.company.local/api/inventory 200 8812 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:03:00] 192.168.1.15 GET https://login.microsoftonline.com/common/oauth2/v2.0/token 200 980 "Microsoft Office/16.0"
[2026-01-22 08:03:14] 192.168.1.31 GET https://avatars.githubusercontent.com/u/1234567 200 14200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:03:22] 192.168.1.10 GET https://teams.microsoft.com/api/chatsvc/emea/v1/users/conversations 200 14882 "Teams/1.6"
[2026-01-22 08:04:01] 192.168.1.88 GET https://erp.company.local/dashboard 200 12048 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:04:09] 192.168.1.55 GET https://unpkg.com/react@18.2.0/umd/react.production.min.js 200 141200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:04:18] 192.168.1.22 GET https://slack.com/api/conversations.list 200 4821 "Slack/4.35 (Win64)"
[2026-01-22 08:05:01] 192.168.1.15 GET https://outlook.office365.com/owa/calendar 200 38821 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:05:11] 192.168.1.31 GET https://github.com/nikolap994/foillab 200 52841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:05:22] 192.168.1.10 GET https://graph.microsoft.com/v1.0/me/calendarView 200 12840 "Teams/1.6"
[2026-01-22 08:05:33] 192.168.1.88 GET https://erp.company.local/api/reports/q4 200 18841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:06:02] 192.168.1.55 GET https://cloudflare.com/cdn-cgi/trace 200 342 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:06:19] 192.168.1.22 GET https://api.slack.com/api/files.list 200 2841 "Slack/4.35 (Win64)"
[2026-01-22 08:07:01] 192.168.1.10 GET https://outlook.office365.com/mail/sentitems 200 44821 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:07:14] 192.168.1.88 GET https://erp.company.local/api/invoices?page=2 200 5288 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:07:28] 192.168.1.31 GET https://api.github.com/notifications 200 1204 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:08:01] 192.168.1.15 GET https://teams.microsoft.com/api/chatsvc/emea/v1/users/me/chats 200 8821 "Teams/1.6"
[2026-01-22 08:08:19] 192.168.1.55 GET https://fonts.gstatic.com/s/inter/v13/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw.woff2 200 72841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:08:33] 192.168.1.22 GET https://slack.com/api/channels.info 200 1821 "Slack/4.35 (Win64)"
[2026-01-22 08:09:00] 192.168.1.88 GET https://erp.company.local/dashboard 200 12048 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:09:11] 192.168.1.10 GET https://outlook.office365.com/mail/search?q=invoice 200 28821 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:09:22] 192.168.1.31 GET https://github.com/trending 200 84821 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:10:01] 192.168.1.55 GET https://api.stripe.com/v1/payment_intents 200 2841 "Stripe/v1 PythonBindings/5.4.0"
[2026-01-22 08:10:14] 192.168.1.15 GET https://login.microsoftonline.com/oauth2/v2.0/logout 200 1204 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:10:28] 192.168.1.22 GET https://api.slack.com/api/team.info 200 1420 "Slack/4.35 (Win64)"
[2026-01-22 08:10:44] 192.168.1.88 GET https://erp.company.local/api/purchase-orders 200 9841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"

# ── Anomalous traffic begins ───────────────────────────────────────────────

[2026-01-22 08:11:00] 192.168.1.31 GET https://github.com/explore 200 94821 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:11:08] 192.168.1.10 GET https://teams.microsoft.com/api/mt/part/emea-02/beta/users/me 200 4821 "Teams/1.6"
[2026-01-22 08:11:14] 192.168.1.55 GET https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js 200 72841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:11:22] 192.168.1.88 GET https://erp.company.local/dashboard 200 12048 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:11:30] 192.168.1.88 GET http://c2.badactor.cc/heartbeat?token=Rk9JTHti&seq=1 200 32 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:11:38] 192.168.1.22 GET https://slack.com/api/users.identity 200 821 "Slack/4.35 (Win64)"
[2026-01-22 08:12:00] 192.168.1.15 GET https://outlook.office365.com/mail/ 200 48291 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:12:11] 192.168.1.10 GET https://teams.microsoft.com/api/chatsvc/emea/v1/users/me/conversations 200 12841 "Teams/1.6"
[2026-01-22 08:12:18] 192.168.1.31 GET https://api.github.com/repos/nikolap994/foilguard/issues 200 4821 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:12:30] 192.168.1.88 GET http://c2.badactor.cc/heartbeat?token=MzRjMG5f&seq=2 200 32 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:12:44] 192.168.1.55 GET https://fonts.googleapis.com/css2?family=JetBrains+Mono 200 4210 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:13:00] 192.168.1.22 GET https://api.slack.com/api/conversations.members 200 2841 "Slack/4.35 (Win64)"
[2026-01-22 08:13:11] 192.168.1.88 GET https://erp.company.local/api/invoices?page=3 200 5103 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:13:30] 192.168.1.88 GET http://c2.badactor.cc/heartbeat?token=M3YzcnlfNjBzfQ&seq=3 200 32 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:13:44] 192.168.1.10 GET https://outlook.office365.com/owa/service.svc 200 8841 "Microsoft Office/16.0"
[2026-01-22 08:14:00] 192.168.1.15 GET https://login.microsoftonline.com/common/oauth2/token 200 1204 "Microsoft Office/16.0"
[2026-01-22 08:14:11] 192.168.1.31 GET https://github.com/nikolap994/foilsuite 200 52841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:14:30] 192.168.1.88 GET http://c2.badactor.cc/heartbeat?token=Rk9JTHti&seq=4 200 32 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:14:44] 192.168.1.55 GET https://unpkg.com/vue@3.3.4/dist/vue.global.prod.js 200 148200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:15:00] 192.168.1.22 GET https://slack.com/api/channels.list 200 8821 "Slack/4.35 (Win64)"
[2026-01-22 08:15:11] 192.168.1.88 GET https://erp.company.local/dashboard 200 12048 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:15:30] 192.168.1.88 GET http://c2.badactor.cc/heartbeat?token=MzRjMG5f&seq=5 200 32 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:15:44] 192.168.1.10 GET https://teams.microsoft.com/api/mt/part/emea-02/beta/users/presence 200 340 "Teams/1.6"
[2026-01-22 08:16:00] 192.168.1.15 GET https://graph.microsoft.com/v1.0/me/messages?$top=20 200 18841 "Microsoft Office/16.0"
[2026-01-22 08:16:11] 192.168.1.31 GET https://api.github.com/user 200 1204 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:16:30] 192.168.1.88 GET http://c2.badactor.cc/heartbeat?token=M3YzcnlfNjBzfQ&seq=6 200 32 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:16:44] 192.168.1.55 GET https://cdn.jsdelivr.net/npm/axios@1.6.0/dist/axios.min.js 200 41200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
[2026-01-22 08:17:00] 192.168.1.22 GET https://api.slack.com/api/rtm.start 200 14821 "Slack/4.35 (Win64)"
[2026-01-22 08:17:11] 192.168.1.88 GET https://erp.company.local/api/reports/q4 200 18841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:17:30] 192.168.1.88 GET http://c2.badactor.cc/heartbeat?token=Rk9JTHti&seq=7 200 32 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"
[2026-01-22 08:17:44] 192.168.1.10 GET https://outlook.office365.com/mail/drafts 200 18841 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0"

# ──────────────────────────────────────────────────────────────────────────────
# END OF CAPTURE — 2026-01-22 10:00:00 UTC
# Total records: 202 | Sensor: corp-proxy-01 | Interface: eth0
