20 lines
1.6 KiB
JSON
20 lines
1.6 KiB
JSON
{
|
|
"case_id": "CASE-2026-0004",
|
|
"title": "Shared mailbox received OneDrive lure with HTML attachment",
|
|
"scenario": "phishing",
|
|
"alert_type": "mail_suspicious_attachment",
|
|
"severity": "medium",
|
|
"status": "confirmed",
|
|
"time_window": {"start": "2026-04-07T10:00:00+08:00", "end": "2026-04-07T12:05:00+08:00"},
|
|
"summary": "Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.",
|
|
"alert_source": "Secure Email Gateway",
|
|
"entities": {"users": ["shared-finance@corp.example"], "hosts": [], "mailboxes": ["shared-finance@corp.example"]},
|
|
"observables": {"sender_emails": ["noreply@sharepoint-notify.com"], "domains": ["sharepoint-notify.com"], "urls": ["https://onedrive-review-login.example"], "ips": ["198.51.100.87"], "hashes": ["sha256:phish0004"]},
|
|
"evidence": ["Attachment rendered a fake Microsoft sign-in page.", "Landing page hosted outside Microsoft IP space.", "Mail body reused branding from previous phishing campaign."],
|
|
"investigation_steps": ["Render attachment safely.", "Review URL hosting provider reputation.", "Search tenant for same subject and sender."],
|
|
"conclusion": {"verdict": "true_positive", "reason": "Credential harvesting lure with campaign reuse indicators.", "recommended_actions": ["Block sender and URL.", "Search and purge duplicate emails."]},
|
|
"related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-CRED-HARVEST-PATTERNS"], "cases": ["CASE-2026-0001"]},
|
|
"lessons_learned": ["Campaign reuse makes historical phishing similarity especially valuable."],
|
|
"tags": ["phishing", "email", "onedrive-lure"]
|
|
}
|