{
  "case_id": "CASE-2026-1003",
  "title": "Suspicious inbox rule creation after successful foreign login",
  "scenario": "o365_suspicious_login",
  "alert_type": "azuread_suspicious_inbox_rule_after_login",
  "severity": "high",
  "status": "confirmed",
  "time_window": {"start": "2026-04-06T19:20:00+08:00", "end": "2026-04-06T20:45:00+08:00"},
  "summary": "An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails.",
  "alert_source": "Microsoft Defender for Cloud Apps",
  "entities": {"users": ["emma@corp.example"], "hosts": ["WS-EMMA-07"], "mailboxes": ["emma@corp.example"]},
  "observables": {"ips": ["198.51.100.98"], "domains": [], "urls": [], "hashes": []},
  "evidence": ["Successful sign-in from untrusted ASN.", "Inbox rule moved wire transfer emails to RSS Feeds folder.", "Mailbox audit showed rule creation minutes after login."],
  "investigation_steps": ["Review mailbox audit logs.", "Export suspicious inbox rules.", "Check for OAuth app consent and forwarding settings."],
  "conclusion": {"verdict": "true_positive", "reason": "Account compromise indicators plus malicious inbox rule persistence.", "recommended_actions": ["Remove malicious rules.", "Reset account and revoke refresh tokens."]},
  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-INBOX-RULE-ABUSE", "KB-O365-IMPOSSIBLE-TRAVEL"], "cases": []},
  "lessons_learned": ["Mailbox rule inspection should be default for suspicious O365 login cases."],
  "tags": ["o365", "login", "inbox-rule", "account-compromise"]
}