Catcher

Overview

Demo data mode: synthetic Catcher cases and notification events are being displayed.

Case Detail

INC-20260511-0007

Action required: password expires today

Triage

Verdict
malicious
Severity
high
Risk
87.5%
Confidence
high
Action
quarantine_or_block_sender
Status
analysis_completed
  • Header domain mismatch
  • Credential-harvest language
  • Lookalike sender domain

AI Summary

The message is likely credential phishing. The sender uses a Microsoft lookalike domain, DMARC failed, and the body asks the user to act before a password expiry deadline.

Advisory
yes
Status
ok
Classification
malicious
Model
demo-llm
Generated
2026-05-11T12:03:58Z
Action
quarantine_or_block_sender
  • Lookalike sender domain
  • Credential-harvest language
  • Auth failure across SPF/DKIM/DMARC

Manual Triage Summary

Confirmed malicious after checking the redirect chain and sender registration. Reporter should be notified after sender/domain blocking is complete.

Disposition
malicious_confirmed
Updated by
tier2.analyst@example.test
Updated
2026-05-11T12:10:44Z
Created
2026-05-11T12:07:20Z
  • Landing page redirected to a credential capture form
  • Sender domain is not owned by Microsoft or the tenant
  • SPF and DMARC failed on the reported message

Action Broker

Governed action state shown for analyst review before mutation approval.

Action path
securityfabric.action-broker -> catcher.notification/email-control
Approval tier
tier2_required
Execution mode
dry_run
Dispatch status
completed
Blocked reason
-
Result
notification_preview_ready

Dry-run vs mutation mode is controlled by dry_run and policy approval tier.

Closure evidence: preview_message_id: PREVIEW-20260511-0007, adapter_trace_id: AB-CATCHER-0007

Callback request/action IDs: tenant-dev/CORR-INC-20260511-0007/ABR-20260511-0007

Callback publish/ingest: published / ingested

Message

From
IT Helpdesk <it-support@micros0ft-login.example>
Sender domain
micros0ft-login.example
Reporter
alex.reporter@example.test
Reply-To
helpdesk-reset@example.net
Return-Path
bounce@bulk-sender.example
Message ID
<m365-report-0007@example.test>

Signals

SPF
fail
DKIM
none
DMARC
fail
Clickable URLs
3
Shorteners
1
Attachments
1
Attachment reputation
suspicious
Stego reviews
0
QR decoded
1
Containers
0
Lure theme
credential_or_mfa_collection
Platforms
forms_or_survey, security_wrapper, url_shortener
Objectives
credentials, mfa or otp
URL enrichment
completed_with_warnings
Domain enrichment
completed_with_warnings
Redirects
2
Final mismatch
1
Browser forms
1/1
Threat intel
completed
Intel matches
2

URL Enrichment

Status
completed_with_warnings
Attempted
3
Redirected
2
Max hops
2
Shorteners expanded
1
Blocked/errors
1/0
  1. bit.ly -> login.micros0ft-login.examplehops: 2

    https://login.micros0ft-login.example/reset

    Final domain mismatch

  2. 169.254.169.254 -> 169.254.169.254hops: 0

    http://169.254.169.254/latest/meta-data

    Blocked: metadata_ip_blocked

Evidence gaps: url_targets_blocked_for_safety, domain_private_resolution_blocked, browser_download_attempt_blocked, browser_form_submission_blocked

Browser Metadata

Items
1
Password / OTP
1/1
CAPTCHA/checks
1
Brand mismatch
1
Browser final mismatch
1
Blocked/errors
1/0
  1. bit.ly -> login.micros0ft-login.examplecompleted / hops: 2

    Title: Microsoft sign in

    Password form observed

    OTP/MFA field observed

    CAPTCHA or browser check observed

    Brand text/domain mismatch

    Download attempt blocked

    Blocked reasons: download_blocked, form_submission_blocked

Domain Infrastructure

Status
completed_with_warnings
Domains
4
DNS / TLS
4/2
New domains
1
Recent certs
1
Blocked/errors
1/0
  1. login.micros0ft-login.exampleIPs: 1 / TLS: checked

    Hosting: free_hosting / Reputation: low

    Recently issued TLS certificate

    Recently registered domain

    Suspicious hosting context

  2. 169.254.169.254IPs: 1 / TLS: not checked

    Hosting: - / Reputation: -

    Blocked: metadata_ip_blocked

Attachment Coverage

QR URLs
present
PDF QR URLs
none
PDF QR scan
unavailable
OCR login page
not detected
Disk image / LNK
0
Unsupported containers
0

Threat Intel

Status
completed
Matches
2
Malicious
1
Suspicious
1
Sources
2
  1. domain: micros0ft-login.examplehigh / 92% / SecurityFabric client-reported IOC rollup

    Lookalike Microsoft login domain observed in reported-message triage.

    Matched on header.from

    Recommended action: Block sender domain, search tenant mailboxes, and retain artifact evidence.

  2. url: https://bit.ly/m365-reviewmedium / 81% / Tenant reporter cluster

    Shortener leading into a credential-harvest redirect chain in the demo evidence set.

    Matched on email.url

    Recommended action: Expand and detonate URL before release; add destination host to watchlist.

Pipeline

Tenant
tenant-dev
Evidence ID
EVID-20260511-0007
Queue job
42
Run ID
20260511_115512_0000_EVID-20260511-0007
Closed by
-
Close reason
-
Closure note
-

Artifacts

report_ui_json
runs/tenant-dev/20260511_115512_0000_EVID-20260511-0007/artifacts/report_ui.json
evidence_json
runs/tenant-dev/20260511_115512_0000_EVID-20260511-0007/artifacts/evidence.json
score_debug_json
runs/tenant-dev/20260511_115512_0000_EVID-20260511-0007/artifacts/score.debug.json
report_md
runs/tenant-dev/20260511_115512_0000_EVID-20260511-0007/artifacts/report.md

Comments

  1. tier1.analyst@example.test2026-05-11T12:06:00Z

    Escalated because sender domain is a Microsoft lookalike and DMARC failed.

Notifications

  1. analysis_completed2026-05-11T12:04:49Z

    delivered to alex.reporter@example.test (202)

Edit Manual Summary

Add Comment

Close Case