16 lines
1.1 KiB
JSON
16 lines
1.1 KiB
JSON
{
|
|
"doc_id": "KB-PHISH-HEADER-CHECK",
|
|
"doc_type": "kb",
|
|
"title": "Phishing Header Validation Checklist",
|
|
"scenario": "phishing",
|
|
"summary": "Checklist for validating sender identity, domain reputation, and authentication results in suspected phishing emails.",
|
|
"applicability": ["mail_suspicious_attachment", "mail_suspicious_link", "mail_bec_impersonation"],
|
|
"key_points": ["Review SPF, DKIM, and DMARC alignment.", "Compare display name, envelope sender, and reply-to anomalies.", "Check domain age and known-good communication history."],
|
|
"investigation_guidance": ["Use message trace and header parser.", "Compare sender domain with vendor allowlist.", "Escalate lookalike domains even when content appears business-relevant."],
|
|
"decision_points": ["Newly observed domains with failed auth are high-risk.", "Benign vendor mail often has consistent historical sending patterns."],
|
|
"related_entities": {"ttps": ["T1566.001"], "iocs": []},
|
|
"related_refs": {"playbooks": ["PB-PHISH-001"], "cases": []},
|
|
"tags": ["kb", "phishing", "email-header"],
|
|
"updated_at": "2026-04-10T09:20:00+08:00"
|
|
}
|