62 lines
1.4 KiB
JSON
62 lines
1.4 KiB
JSON
{
|
|
"id": "CASE-2026-0004",
|
|
"memory_type": "case",
|
|
"scenario": "phishing",
|
|
"title": "Shared mailbox received OneDrive lure with HTML attachment",
|
|
"abstract": "Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.",
|
|
"verdict": "true_positive",
|
|
"severity": "medium",
|
|
"entities": {
|
|
"users": [
|
|
"shared-finance@corp.example"
|
|
],
|
|
"hosts": [],
|
|
"mailboxes": [
|
|
"shared-finance@corp.example"
|
|
]
|
|
},
|
|
"observables": {
|
|
"sender_emails": [
|
|
"noreply@sharepoint-notify.com"
|
|
],
|
|
"domains": [
|
|
"sharepoint-notify.com"
|
|
],
|
|
"urls": [
|
|
"https://onedrive-review-login.example"
|
|
],
|
|
"ips": [
|
|
"198.51.100.87"
|
|
],
|
|
"hashes": [
|
|
"sha256:phish0004"
|
|
]
|
|
},
|
|
"evidence": [
|
|
"Attachment rendered a fake Microsoft sign-in page.",
|
|
"Landing page hosted outside Microsoft IP space.",
|
|
"Mail body reused branding from previous phishing campaign."
|
|
],
|
|
"patterns": [
|
|
"verdict:true_positive",
|
|
"scenario:phishing",
|
|
"alert_type:mail_suspicious_attachment"
|
|
],
|
|
"related_refs": {
|
|
"playbooks": [
|
|
"PB-PHISH-001"
|
|
],
|
|
"kb": [
|
|
"KB-CRED-HARVEST-PATTERNS"
|
|
],
|
|
"cases": [
|
|
"CASE-2026-0001"
|
|
]
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/phishing/CASE-2026-0004.json",
|
|
"tags": [
|
|
"phishing",
|
|
"email",
|
|
"onedrive-lure"
|
|
]
|
|
} |