{
  "id": "KB-PHISH-HEADER-CHECK",
  "memory_type": "knowledge",
  "doc_type": "kb",
  "scenario": "phishing",
  "title": "Phishing Header Validation Checklist",
  "abstract": "Checklist for validating sender identity, domain reputation, and authentication results in suspected phishing emails.",
  "key_points": [
    "Review SPF, DKIM, and DMARC alignment.",
    "Compare display name, envelope sender, and reply-to anomalies.",
    "Check domain age and known-good communication history."
  ],
  "investigation_guidance": [
    "Use message trace and header parser.",
    "Compare sender domain with vendor allowlist.",
    "Escalate lookalike domains even when content appears business-relevant."
  ],
  "decision_points": [
    "Newly observed domains with failed auth are high-risk.",
    "Benign vendor mail often has consistent historical sending patterns."
  ],
  "related_refs": {
    "playbooks": [
      "PB-PHISH-001"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-PHISH-HEADER-CHECK.json",
  "tags": [
    "kb",
    "phishing",
    "email-header"
  ]
}