{
  "id": "CASE-2026-0001",
  "memory_type": "case",
  "scenario": "phishing",
  "title": "Finance user received invoice-themed phishing email",
  "abstract": "Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.",
  "verdict": "true_positive",
  "severity": "high",
  "entities": {
    "users": [
      "alice@corp.example"
    ],
    "hosts": [
      "FIN-LAPTOP-12"
    ],
    "mailboxes": [
      "alice@corp.example"
    ]
  },
  "observables": {
    "sender_emails": [
      "billing@vendor-payments.com"
    ],
    "domains": [
      "vendor-payments.com",
      "vendor-payments-login.com"
    ],
    "urls": [
      "https://vendor-payments-login.com/review"
    ],
    "ips": [
      "198.51.100.20"
    ],
    "hashes": [
      "sha256:phish0001"
    ]
  },
  "evidence": [
    "Sender domain was newly observed and failed DMARC.",
    "Attachment redirected to a fake Microsoft 365 login page.",
    "User clicked the link before mail quarantine completed."
  ],
  "patterns": [
    "verdict:true_positive",
    "scenario:phishing",
    "alert_type:mail_suspicious_attachment"
  ],
  "related_refs": {
    "playbooks": [
      "PB-PHISH-001"
    ],
    "kb": [
      "KB-PHISH-HEADER-CHECK",
      "KB-CRED-HARVEST-PATTERNS"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/phishing/CASE-2026-0001.json",
  "tags": [
    "phishing",
    "email",
    "credential-harvest",
    "finance"
  ]
}