memory-gateway/obsidian-vault/02_Cases/phishing/CASE-2026-0003 - Executive impersonation email requested urgent wire transfer.md

case_id, scenario, alert_type, severity, verdict, source, openviking_enriched

case_id	scenario	alert_type	severity	verdict	source	openviking_enriched
CASE-2026-0003	phishing	mail_bec_impersonation	high	true_positive	soc-memory-poc	true

CASE-2026-0003 Executive impersonation email requested urgent wire transfer

基本信息

• Case ID: CASE-2026-0003
• 标题: Executive impersonation email requested urgent wire transfer
• 告警类型: mail_bec_impersonation
• 来源系统: SOC Memory POC Mock Dataset
• 时间范围: 待补充
• 研判人 / Agent: AI Agent Draft
• 最终结论: 真报
• 严重等级: high

告警摘要

An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain.

关键实体

• 用户: carol@corp.example
• 主机: FIN-LAPTOP-08
• 邮箱: carol@corp.example
• IP: 203.0.113.45
• 域名: c0rp-example.com
• 文件 Hash: 无
• 其他 IOC: ceo@c0rp-example.com

关键证据

• Lookalike domain used numeric substitution.
• Language pressure matched prior BEC pattern.
• No historical communication from sender domain.

研判过程摘要

1. 确认告警场景与核心风险：An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain.
2. 提取关键证据并交叉验证：Lookalike domain used numeric substitution.
3. 对照关联 playbook / KB 复核告警模式与处置路径。
4. 基于关键证据与场景模式完成结论判定：真报。

结论依据

• 结论为真报。
• 最关键依据：Lookalike domain used numeric substitution.
• 补充依据：Language pressure matched prior BEC pattern.

处置建议

• 隔离相同主题、发件人或 URL 的邮件样本。
• 核查用户是否点击或提交凭据，并按需执行凭据重置。

可复用模式

• 命中模式: scenario:phishing, alert_type:mail_bec_impersonation
• 误报特征: 无
• 需关注的变体: 相关标签：phishing, bec, executive-impersonation

关联知识

• 关联 Playbook: PB-PHISH-001
• 关联 KB: KB-CRED-HARVEST-PATTERNS, KB-PHISH-HEADER-CHECK
• 关联历史 Case: CASE-2026-0001, CASE-2026-0004
• 关联实体: carol@corp.example, FIN-LAPTOP-08

自动关联推荐

推荐历史 Case

• CASE-2026-0001 (case score=0.572) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
• CASE-2026-0004 (case score=0.566) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...

推荐知识条目

• PB-PHISH-001 (knowledge score=0.538) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
• KB-CRED-HARVEST-PATTERNS (knowledge score=0.522) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
• KB-PHISH-HEADER-CHECK (knowledge score=0.512) This directory contains a structured knowledge base document focused on validating phishing emails through detailed analysis of email header...

Lessons Learned

• 本案可沉淀为后续同类告警的快速判定参考。
• 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。

标签

• #case
• #scenario/phishing
• #alert/mail_bec_impersonation
• #verdict/true-positive
• #phishing
• #bec
• #executive-impersonation