--- case_id: CASE-2026-1003 scenario: o365_suspicious_login alert_type: azuread_suspicious_inbox_rule_after_login severity: high verdict: true_positive source: soc-memory-poc openviking_enriched: true --- # CASE-2026-1003 Suspicious inbox rule creation after successful foreign login ## 基本信息 - Case ID: CASE-2026-1003 - 标题: Suspicious inbox rule creation after successful foreign login - 告警类型: azuread_suspicious_inbox_rule_after_login - 来源系统: SOC Memory POC Mock Dataset - 时间范围: 待补充 - 研判人 / Agent: AI Agent Draft - 最终结论: 真报 - 严重等级: high ## 告警摘要 An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails. ## 关键实体 - 用户: emma@corp.example - 主机: WS-EMMA-07 - 邮箱: emma@corp.example - IP: 198.51.100.98 - 域名: 无 - 文件 Hash: 无 - 其他 IOC: 无 ## 关键证据 - Successful sign-in from untrusted ASN. - Inbox rule moved wire transfer emails to RSS Feeds folder. - Mailbox audit showed rule creation minutes after login. ## 研判过程摘要 1. 确认告警场景与核心风险:An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails. 2. 提取关键证据并交叉验证:Successful sign-in from untrusted ASN. 3. 对照关联 playbook / KB 复核告警模式与处置路径。 4. 基于关键证据与场景模式完成结论判定:真报。 ## 结论依据 - 结论为真报。 - 最关键依据:Successful sign-in from untrusted ASN. - 补充依据:Inbox rule moved wire transfer emails to RSS Feeds folder. ## 处置建议 - 复核登录来源、MFA 事件和后续邮箱规则或 OAuth 变更。 - 若存在账号接管迹象,立即执行会话失效和凭据重置。 ## 可复用模式 - 命中模式: scenario:o365_suspicious_login, alert_type:azuread_suspicious_inbox_rule_after_login - 误报特征: 无 - 需关注的变体: 相关标签:o365, login, inbox-rule, account-compromise ## 关联知识 - 关联 Playbook: [[PB-O365-LOGIN-001]] - 关联 KB: [[KB-O365-INBOX-RULE-ABUSE]], [[KB-O365-IMPOSSIBLE-TRAVEL]] - 关联历史 Case: [[CASE-2026-1005]], [[CASE-2026-1001]] - 关联实体: [[emma@corp.example]], [[WS-EMMA-07]] ## 自动关联推荐 ### 推荐历史 Case - [[CASE-2026-1005]] (case score=0.667) This directory contains a single case record documenting a false positive alert triggered by Microsoft 365’s impossible travel detection sys... - [[CASE-2026-1001]] (case score=0.666) This document is a structured case report detailing a high-severity security incident involving suspicious login activity in an Office 365 e... ### 推荐知识条目 - [[PB-O365-LOGIN-001]] (knowledge score=0.653) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M... - [[KB-O365-IMPOSSIBLE-TRAVEL]] (knowledge score=0.645) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events... ## Lessons Learned - 本案可沉淀为后续同类告警的快速判定参考。 - 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。 ## 标签 - #case - #scenario/o365_suspicious_login - #alert/azuread_suspicious_inbox_rule_after_login - #verdict/true-positive - #o365 - #login - #inbox-rule - #account-compromise