Security Topic
Phishing Cases
Case-led analysis of suspicious routing behavior and detection signals.
Threat Focus
Method v1.2 ยท Reviewed 2026-02-10
Document and classify phishing attempts that exploit trust in known brand identifiers and routing habits.
Operating context: Case-led analysis helps convert one-off incidents into reusable detection rules and user guidance.
Active Signal Matrix
| Signal | Severity | Detection Source |
|---|---|---|
| Credential harvest forms on unofficial domains | critical | Form behavior inspection and sandbox capture |
| Redirect chains ending on credential prompts | high | Redirect trace crawler |
| URL patterns mimicking official path structures | high | Route similarity engine |
| Message payloads with forced urgency and reward bait | medium | Content classifier |
| Session token theft attempts via injected scripts | critical | Client telemetry and script signature checks |
Triage Workflow
- 1 Open incident with normalized URL and source channel.
- 2 Collect network behavior, redirects, and destination resources.
- 3 Classify incident type (credential, payment, session hijack).
- 4 Score impact by exposure volume and targeting precision.
- 5 Feed signatures back into prevention and alerting layers.
Verification Checklist
Full redirect chain capture
Form destination and data exfiltration behavior
Script and asset fingerprint extraction
Case linkage to prior campaigns
Risk scoring rationale with reviewer notes
Response Playbook
Block known IOC set (domains, hashes, scripts).
Issue case summary with user-safe behavior reminders.
Trigger support macro for potentially impacted users.
Escalate severe campaigns to high-priority monitoring mode.
Review and refine classifier thresholds post-incident.
Response SLA
Acknowledgment< 20 minutes
Triage< 90 minutes
Containment< 4 hours
Public Notice< 3 hours for credential-theft cases
Common Mistakes
Only blocking the landing URL and ignoring redirect assets.
Not preserving raw evidence before requesting takedown.
Using binary safe/unsafe labels without confidence context.