3.4 KiB
3.4 KiB
case_id, scenario, alert_type, severity, verdict, source, openviking_enriched
| case_id | scenario | alert_type | severity | verdict | source | openviking_enriched |
|---|---|---|---|---|---|---|
| CASE-2026-0004 | phishing | mail_suspicious_attachment | medium | true_positive | soc-memory-poc | true |
CASE-2026-0004 Shared mailbox received OneDrive lure with HTML attachment
基本信息
- Case ID: CASE-2026-0004
- 标题: Shared mailbox received OneDrive lure with HTML attachment
- 告警类型: mail_suspicious_attachment
- 来源系统: SOC Memory POC Mock Dataset
- 时间范围: 待补充
- 研判人 / Agent: AI Agent Draft
- 最终结论: 真报
- 严重等级: medium
告警摘要
Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.
关键实体
- 用户: shared-finance@corp.example
- 主机: 无
- 邮箱: shared-finance@corp.example
- IP: 198.51.100.87
- 域名: sharepoint-notify.com
- 文件 Hash: sha256:phish0004
- 其他 IOC: https://onedrive-review-login.example, noreply@sharepoint-notify.com
关键证据
- Attachment rendered a fake Microsoft sign-in page.
- Landing page hosted outside Microsoft IP space.
- Mail body reused branding from previous phishing campaign.
研判过程摘要
- 确认告警场景与核心风险:Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.
- 提取关键证据并交叉验证:Attachment rendered a fake Microsoft sign-in page.
- 对照关联 playbook / KB 复核告警模式与处置路径。
- 基于关键证据与场景模式完成结论判定:真报。
结论依据
- 结论为真报。
- 最关键依据:Attachment rendered a fake Microsoft sign-in page.
- 补充依据:Landing page hosted outside Microsoft IP space.
处置建议
- 隔离相同主题、发件人或 URL 的邮件样本。
- 核查用户是否点击或提交凭据,并按需执行凭据重置。
可复用模式
- 命中模式: scenario:phishing, alert_type:mail_suspicious_attachment
- 误报特征: 无
- 需关注的变体: 相关标签:phishing, email, onedrive-lure
关联知识
- 关联 Playbook: PB-PHISH-001
- 关联 KB: KB-CRED-HARVEST-PATTERNS
- 关联历史 Case: CASE-2026-0001, CASE-2026-0003
- 关联实体: shared-finance@corp.example
自动关联推荐
推荐历史 Case
- CASE-2026-0001 (case score=0.675) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
- CASE-2026-0003 (case score=0.606) This directory contains a structured incident report for a high-severity phishing attack involving executive impersonation, classified under...
推荐知识条目
- KB-CRED-HARVEST-PATTERNS (knowledge score=0.652) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
- PB-PHISH-001 (knowledge score=0.608) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
Lessons Learned
- 本案可沉淀为后续同类告警的快速判定参考。
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
标签
- #case
- #scenario/phishing
- #alert/mail_suspicious_attachment
- #verdict/true-positive
- #phishing
- #onedrive-lure