20 lines
1.7 KiB
JSON
20 lines
1.7 KiB
JSON
{
|
|
"case_id": "CASE-2026-0001",
|
|
"title": "Finance user received invoice-themed phishing email",
|
|
"scenario": "phishing",
|
|
"alert_type": "mail_suspicious_attachment",
|
|
"severity": "high",
|
|
"status": "confirmed",
|
|
"time_window": {"start": "2026-04-01T09:10:00+08:00", "end": "2026-04-01T11:30:00+08:00"},
|
|
"summary": "Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.",
|
|
"alert_source": "Secure Email Gateway",
|
|
"entities": {"users": ["alice@corp.example"], "hosts": ["FIN-LAPTOP-12"], "mailboxes": ["alice@corp.example"]},
|
|
"observables": {"sender_emails": ["billing@vendor-payments.com"], "domains": ["vendor-payments.com", "vendor-payments-login.com"], "urls": ["https://vendor-payments-login.com/review"], "ips": ["198.51.100.20"], "hashes": ["sha256:phish0001"]},
|
|
"evidence": ["Sender domain was newly observed and failed DMARC.", "Attachment redirected to a fake Microsoft 365 login page.", "User clicked the link before mail quarantine completed."],
|
|
"investigation_steps": ["Validate sender authentication results.", "Detonate HTML attachment in sandbox.", "Check mailbox click telemetry and account sign-in logs."],
|
|
"conclusion": {"verdict": "true_positive", "reason": "Aligned phishing indicators and confirmed click behavior.", "recommended_actions": ["Reset impacted account password.", "Block sender domain and landing URL.", "Hunt for similar emails in tenant."]},
|
|
"related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-PHISH-HEADER-CHECK", "KB-CRED-HARVEST-PATTERNS"], "cases": []},
|
|
"lessons_learned": ["Invoice lure remains effective against finance users."],
|
|
"tags": ["phishing", "email", "credential-harvest", "finance"]
|
|
}
|