{
  "doc_id": "PB-PHISH-001",
  "doc_type": "playbook",
  "title": "Phishing Email Investigation Playbook",
  "scenario": "phishing",
  "summary": "Standard investigation steps for suspicious email, credential harvesting, and BEC-like cases.",
  "applicability": ["mail_suspicious_attachment", "mail_suspicious_link", "mail_bec_impersonation"],
  "key_points": ["Validate sender authentication results.", "Inspect landing URL and attachment behavior.", "Check whether the user clicked or submitted credentials."],
  "investigation_guidance": ["Query email telemetry for same sender, subject, or URL.", "Review mailbox click logs and endpoint browser artifacts.", "Reset credentials if submission is suspected."],
  "decision_points": ["If sender auth fails and user interaction exists, treat as likely phishing.", "If destination is allowlisted and communication pattern is expected, investigate false positive path."],
  "related_entities": {"ttps": ["T1566"], "iocs": []},
  "related_refs": {"kb": ["KB-PHISH-HEADER-CHECK", "KB-CRED-HARVEST-PATTERNS"], "cases": []},
  "tags": ["playbook", "phishing", "email"],
  "updated_at": "2026-04-10T09:00:00+08:00"
}