20 lines
1.5 KiB
JSON
20 lines
1.5 KiB
JSON
{
|
|
"case_id": "CASE-2026-0003",
|
|
"title": "Executive impersonation email requested urgent wire transfer",
|
|
"scenario": "phishing",
|
|
"alert_type": "mail_bec_impersonation",
|
|
"severity": "high",
|
|
"status": "confirmed",
|
|
"time_window": {"start": "2026-04-05T13:15:00+08:00", "end": "2026-04-05T15:00:00+08:00"},
|
|
"summary": "An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain.",
|
|
"alert_source": "Secure Email Gateway",
|
|
"entities": {"users": ["carol@corp.example"], "hosts": ["FIN-LAPTOP-08"], "mailboxes": ["carol@corp.example"]},
|
|
"observables": {"sender_emails": ["ceo@c0rp-example.com"], "domains": ["c0rp-example.com"], "urls": [], "ips": ["203.0.113.45"], "hashes": []},
|
|
"evidence": ["Lookalike domain used numeric substitution.", "Language pressure matched prior BEC pattern.", "No historical communication from sender domain."],
|
|
"investigation_steps": ["Compare sender domain with corporate domain.", "Review historical communication graph.", "Confirm with executive assistant out of band."],
|
|
"conclusion": {"verdict": "true_positive", "reason": "Strong BEC indicators and confirmed spoofed sender identity.", "recommended_actions": ["Block sender domain.", "Notify finance team and update awareness content."]},
|
|
"related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-CRED-HARVEST-PATTERNS"], "cases": []},
|
|
"lessons_learned": ["Lookalike domains need strong entity normalization in retrieval and detection logic."],
|
|
"tags": ["phishing", "bec", "executive-impersonation"]
|
|
}
|