Demo data mode: synthetic Catcher cases and notification events are being displayed.
Case Detail
INC-20260511-0007
Action required: password expires today
Triage
- Verdict
- malicious
- Severity
- high
- Risk
- 87.5%
- Confidence
- high
- Action
- quarantine_or_block_sender
- Status
- analysis_completed
- Header domain mismatch
- Credential-harvest language
- Lookalike sender domain
AI Summary
The message is likely credential phishing. The sender uses a Microsoft lookalike domain, DMARC failed, and the body asks the user to act before a password expiry deadline.
- Advisory
- yes
- Status
- ok
- Classification
- malicious
- Model
- demo-llm
- Generated
- 2026-05-11T12:03:58Z
- Action
- quarantine_or_block_sender
- Lookalike sender domain
- Credential-harvest language
- Auth failure across SPF/DKIM/DMARC
Manual Triage Summary
Confirmed malicious after checking the redirect chain and sender registration. Reporter should be notified after sender/domain blocking is complete.
- Disposition
- malicious_confirmed
- Updated by
- tier2.analyst@example.test
- Updated
- 2026-05-11T12:10:44Z
- Created
- 2026-05-11T12:07:20Z
- Landing page redirected to a credential capture form
- Sender domain is not owned by Microsoft or the tenant
- SPF and DMARC failed on the reported message
Action Broker
Governed action state shown for analyst review before mutation approval.
- Action path
- securityfabric.action-broker -> catcher.notification/email-control
- Approval tier
- tier2_required
- Execution mode
- dry_run
- Dispatch status
- completed
- Blocked reason
- -
- Result
- notification_preview_ready
Dry-run vs mutation mode is controlled by dry_run and policy approval tier.
Closure evidence: preview_message_id: PREVIEW-20260511-0007, adapter_trace_id: AB-CATCHER-0007
Callback request/action IDs: tenant-dev/CORR-INC-20260511-0007/ABR-20260511-0007
Callback publish/ingest: published / ingested
Message
- From
- IT Helpdesk <it-support@micros0ft-login.example>
- Sender domain
- micros0ft-login.example
- Reporter
- alex.reporter@example.test
- Reply-To
- helpdesk-reset@example.net
- Return-Path
- bounce@bulk-sender.example
- Message ID
- <m365-report-0007@example.test>
Signals
- SPF
- fail
- DKIM
- none
- DMARC
- fail
- Clickable URLs
- 3
- Shorteners
- 1
- Attachments
- 1
- Attachment reputation
- suspicious
- Stego reviews
- 0
- QR decoded
- 1
- Containers
- 0
- Lure theme
- credential_or_mfa_collection
- Platforms
- forms_or_survey, security_wrapper, url_shortener
- Objectives
- credentials, mfa or otp
- URL enrichment
- completed_with_warnings
- Domain enrichment
- completed_with_warnings
- Redirects
- 2
- Final mismatch
- 1
- Browser forms
- 1/1
- Threat intel
- completed
- Intel matches
- 2
URL Enrichment
- Status
- completed_with_warnings
- Attempted
- 3
- Redirected
- 2
- Max hops
- 2
- Shorteners expanded
- 1
- Blocked/errors
- 1/0
- bit.ly -> login.micros0ft-login.examplehops: 2
https://login.micros0ft-login.example/reset
Final domain mismatch
- 169.254.169.254 -> 169.254.169.254hops: 0
http://169.254.169.254/latest/meta-data
Blocked: metadata_ip_blocked
Evidence gaps: url_targets_blocked_for_safety, domain_private_resolution_blocked, browser_download_attempt_blocked, browser_form_submission_blocked
Browser Metadata
- Items
- 1
- Password / OTP
- 1/1
- CAPTCHA/checks
- 1
- Brand mismatch
- 1
- Browser final mismatch
- 1
- Blocked/errors
- 1/0
- bit.ly -> login.micros0ft-login.examplecompleted / hops: 2
Title: Microsoft sign in
Password form observed
OTP/MFA field observed
CAPTCHA or browser check observed
Brand text/domain mismatch
Download attempt blocked
Blocked reasons: download_blocked, form_submission_blocked
Domain Infrastructure
- Status
- completed_with_warnings
- Domains
- 4
- DNS / TLS
- 4/2
- New domains
- 1
- Recent certs
- 1
- Blocked/errors
- 1/0
- login.micros0ft-login.exampleIPs: 1 / TLS: checked
Hosting: free_hosting / Reputation: low
Recently issued TLS certificate
Recently registered domain
Suspicious hosting context
- 169.254.169.254IPs: 1 / TLS: not checked
Hosting: - / Reputation: -
Blocked: metadata_ip_blocked
Attachment Coverage
- QR URLs
- present
- PDF QR URLs
- none
- PDF QR scan
- unavailable
- OCR login page
- not detected
- Disk image / LNK
- 0
- Unsupported containers
- 0
Threat Intel
- Status
- completed
- Matches
- 2
- Malicious
- 1
- Suspicious
- 1
- Sources
- 2
- domain: micros0ft-login.examplehigh / 92% / SecurityFabric client-reported IOC rollup
Lookalike Microsoft login domain observed in reported-message triage.
Matched on header.from
Recommended action: Block sender domain, search tenant mailboxes, and retain artifact evidence.
- url: https://bit.ly/m365-reviewmedium / 81% / Tenant reporter cluster
Shortener leading into a credential-harvest redirect chain in the demo evidence set.
Matched on email.url
Recommended action: Expand and detonate URL before release; add destination host to watchlist.
Pipeline
- Tenant
- tenant-dev
- Evidence ID
- EVID-20260511-0007
- Queue job
- 42
- Run ID
- 20260511_115512_0000_EVID-20260511-0007
- Closed by
- -
- Close reason
- -
- Closure note
- -
Artifacts
- report_ui_json
- runs/tenant-dev/20260511_115512_0000_EVID-20260511-0007/artifacts/report_ui.json
- evidence_json
- runs/tenant-dev/20260511_115512_0000_EVID-20260511-0007/artifacts/evidence.json
- score_debug_json
- runs/tenant-dev/20260511_115512_0000_EVID-20260511-0007/artifacts/score.debug.json
- report_md
- runs/tenant-dev/20260511_115512_0000_EVID-20260511-0007/artifacts/report.md
Comments
- tier1.analyst@example.test2026-05-11T12:06:00Z
Escalated because sender domain is a Microsoft lookalike and DMARC failed.
Notifications
- analysis_completed2026-05-11T12:04:49Z
delivered to alex.reporter@example.test (202)