16 lines
1.1 KiB
JSON
16 lines
1.1 KiB
JSON
{
|
|
"doc_id": "KB-CRED-HARVEST-PATTERNS",
|
|
"doc_type": "kb",
|
|
"title": "Credential Harvesting Indicators",
|
|
"scenario": "phishing",
|
|
"summary": "Common indicators that a phishing case involves credential harvesting rather than simple spam or benign mail.",
|
|
"applicability": ["mail_suspicious_attachment", "mail_suspicious_link"],
|
|
"key_points": ["Landing page mimics Microsoft 365 or common SaaS login pages.", "HTML attachment often acts as a redirector rather than containing malware.", "Credential harvest campaigns frequently reuse branding and lures across tenants."],
|
|
"investigation_guidance": ["Capture full redirect chain.", "Look for post-click login anomalies in identity logs.", "Search for same lure across multiple mailboxes."],
|
|
"decision_points": ["User click plus sign-in anomaly greatly increases confidence.", "Branding reuse can help link separate phishing cases into one campaign."],
|
|
"related_entities": {"ttps": ["T1566.002"], "iocs": []},
|
|
"related_refs": {"playbooks": ["PB-PHISH-001"], "cases": []},
|
|
"tags": ["kb", "phishing", "credential-harvest"],
|
|
"updated_at": "2026-04-10T09:25:00+08:00"
|
|
}
|