--- case_id: CASE-2026-0004 scenario: phishing alert_type: mail_suspicious_attachment severity: medium verdict: true_positive source: soc-memory-poc openviking_enriched: true --- # CASE-2026-0004 Shared mailbox received OneDrive lure with HTML attachment ## 基本信息 - Case ID: CASE-2026-0004 - 标题: Shared mailbox received OneDrive lure with HTML attachment - 告警类型: mail_suspicious_attachment - 来源系统: SOC Memory POC Mock Dataset - 时间范围: 待补充 - 研判人 / Agent: AI Agent Draft - 最终结论: 真报 - 严重等级: medium ## 告警摘要 Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection. ## 关键实体 - 用户: shared-finance@corp.example - 主机: 无 - 邮箱: shared-finance@corp.example - IP: 198.51.100.87 - 域名: sharepoint-notify.com - 文件 Hash: sha256:phish0004 - 其他 IOC: https://onedrive-review-login.example, noreply@sharepoint-notify.com ## 关键证据 - Attachment rendered a fake Microsoft sign-in page. - Landing page hosted outside Microsoft IP space. - Mail body reused branding from previous phishing campaign. ## 研判过程摘要 1. 确认告警场景与核心风险:Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection. 2. 提取关键证据并交叉验证:Attachment rendered a fake Microsoft sign-in page. 3. 对照关联 playbook / KB 复核告警模式与处置路径。 4. 基于关键证据与场景模式完成结论判定:真报。 ## 结论依据 - 结论为真报。 - 最关键依据:Attachment rendered a fake Microsoft sign-in page. - 补充依据:Landing page hosted outside Microsoft IP space. ## 处置建议 - 隔离相同主题、发件人或 URL 的邮件样本。 - 核查用户是否点击或提交凭据,并按需执行凭据重置。 ## 可复用模式 - 命中模式: scenario:phishing, alert_type:mail_suspicious_attachment - 误报特征: 无 - 需关注的变体: 相关标签:phishing, email, onedrive-lure ## 关联知识 - 关联 Playbook: [[PB-PHISH-001]] - 关联 KB: [[KB-CRED-HARVEST-PATTERNS]] - 关联历史 Case: [[CASE-2026-0001]], [[CASE-2026-0003]] - 关联实体: [[shared-finance@corp.example]] ## 自动关联推荐 ### 推荐历史 Case - [[CASE-2026-0001]] (case score=0.675) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic... - [[CASE-2026-0003]] (case score=0.606) This directory contains a structured incident report for a high-severity phishing attack involving executive impersonation, classified under... ### 推荐知识条目 - [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.652) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti... - [[PB-PHISH-001]] (knowledge score=0.608) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ... ## Lessons Learned - 本案可沉淀为后续同类告警的快速判定参考。 - 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。 ## 标签 - #case - #scenario/phishing - #alert/mail_suspicious_attachment - #verdict/true-positive - #phishing - #email - #onedrive-lure