---
case_id: CASE-2026-0001
scenario: phishing
alert_type: mail_suspicious_attachment
severity: high
verdict: true_positive
source: soc-memory-poc
openviking_enriched: true
---

# CASE-2026-0001 Finance user received invoice-themed phishing email

## 基本信息

- Case ID: CASE-2026-0001
- 标题: Finance user received invoice-themed phishing email
- 告警类型: mail_suspicious_attachment
- 来源系统: SOC Memory POC Mock Dataset
- 时间范围: 待补充
- 研判人 / Agent: AI Agent Draft
- 最终结论: 真报
- 严重等级: high

## 告警摘要

Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.

## 关键实体

- 用户: alice@corp.example
- 主机: FIN-LAPTOP-12
- 邮箱: alice@corp.example
- IP: 198.51.100.20
- 域名: vendor-payments.com, vendor-payments-login.com
- 文件 Hash: sha256:phish0001
- 其他 IOC: https://vendor-payments-login.com/review, billing@vendor-payments.com

## 关键证据

- Sender domain was newly observed and failed DMARC.
- Attachment redirected to a fake Microsoft 365 login page.
- User clicked the link before mail quarantine completed.

## 研判过程摘要

1. 确认告警场景与核心风险：Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.
2. 提取关键证据并交叉验证：Sender domain was newly observed and failed DMARC.
3. 对照关联 playbook / KB 复核告警模式与处置路径。
4. 基于关键证据与场景模式完成结论判定：真报。

## 结论依据

- 结论为真报。
- 最关键依据：Sender domain was newly observed and failed DMARC.
- 补充依据：Attachment redirected to a fake Microsoft 365 login page.

## 处置建议

- 隔离相同主题、发件人或 URL 的邮件样本。
- 核查用户是否点击或提交凭据，并按需执行凭据重置。

## 可复用模式

- 命中模式: scenario:phishing, alert_type:mail_suspicious_attachment
- 误报特征: 无
- 需关注的变体: 相关标签：phishing, email, credential-harvest, finance

## 关联知识

- 关联 Playbook: [[PB-PHISH-001]]
- 关联 KB: [[KB-PHISH-HEADER-CHECK]], [[KB-CRED-HARVEST-PATTERNS]]
- 关联历史 Case: [[CASE-2026-0004]], [[CASE-2026-0002]]
- 关联实体: [[alice@corp.example]], [[FIN-LAPTOP-12]]

## 自动关联推荐

### 推荐历史 Case

- [[CASE-2026-0004]] (case score=0.662) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
- [[CASE-2026-0002]] (case score=0.631) This directory contains a single case record detailing the investigation of a suspicious payroll notification email flagged due to a shorten...

### 推荐知识条目

- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.656) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
- [[PB-PHISH-001]] (knowledge score=0.639) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...

## Lessons Learned

- 本案可沉淀为后续同类告警的快速判定参考。
- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。

## 标签

- #case
- #scenario/phishing
- #alert/mail_suspicious_attachment
- #verdict/true-positive
- #phishing
- #email
- #credential-harvest
- #finance