--- case_id: CASE-2026-0003 scenario: phishing alert_type: mail_bec_impersonation severity: high verdict: true_positive source: soc-memory-poc openviking_enriched: true --- # CASE-2026-0003 Executive impersonation email requested urgent wire transfer ## 基本信息 - Case ID: CASE-2026-0003 - 标题: Executive impersonation email requested urgent wire transfer - 告警类型: mail_bec_impersonation - 来源系统: SOC Memory POC Mock Dataset - 时间范围: 待补充 - 研判人 / Agent: AI Agent Draft - 最终结论: 真报 - 严重等级: high ## 告警摘要 An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain. ## 关键实体 - 用户: carol@corp.example - 主机: FIN-LAPTOP-08 - 邮箱: carol@corp.example - IP: 203.0.113.45 - 域名: c0rp-example.com - 文件 Hash: 无 - 其他 IOC: ceo@c0rp-example.com ## 关键证据 - Lookalike domain used numeric substitution. - Language pressure matched prior BEC pattern. - No historical communication from sender domain. ## 研判过程摘要 1. 确认告警场景与核心风险:An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain. 2. 提取关键证据并交叉验证:Lookalike domain used numeric substitution. 3. 对照关联 playbook / KB 复核告警模式与处置路径。 4. 基于关键证据与场景模式完成结论判定:真报。 ## 结论依据 - 结论为真报。 - 最关键依据:Lookalike domain used numeric substitution. - 补充依据:Language pressure matched prior BEC pattern. ## 处置建议 - 隔离相同主题、发件人或 URL 的邮件样本。 - 核查用户是否点击或提交凭据,并按需执行凭据重置。 ## 可复用模式 - 命中模式: scenario:phishing, alert_type:mail_bec_impersonation - 误报特征: 无 - 需关注的变体: 相关标签:phishing, bec, executive-impersonation ## 关联知识 - 关联 Playbook: [[PB-PHISH-001]] - 关联 KB: [[KB-CRED-HARVEST-PATTERNS]], [[KB-PHISH-HEADER-CHECK]] - 关联历史 Case: [[CASE-2026-0001]], [[CASE-2026-0004]] - 关联实体: [[carol@corp.example]], [[FIN-LAPTOP-08]] ## 自动关联推荐 ### 推荐历史 Case - [[CASE-2026-0001]] (case score=0.572) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic... - [[CASE-2026-0004]] (case score=0.566) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not... ### 推荐知识条目 - [[PB-PHISH-001]] (knowledge score=0.538) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ... - [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.522) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti... - [[KB-PHISH-HEADER-CHECK]] (knowledge score=0.512) This directory contains a structured knowledge base document focused on validating phishing emails through detailed analysis of email header... ## Lessons Learned - 本案可沉淀为后续同类告警的快速判定参考。 - 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。 ## 标签 - #case - #scenario/phishing - #alert/mail_bec_impersonation - #verdict/true-positive - #phishing - #bec - #executive-impersonation