Operations
Case Workbench
Operations
Case Workbench
Security Operations
Cases
Live phish triage queue for reported-message review and analyst follow-up.
Case Queue
Triage, closure, message, reporter, signal, and run context for current cases.
| Case | State | Closure Notes | Verdict / Risk | Message | Reporter / Source | Auth | URLs | Attachments | Reasons / Error | Pipeline |
|---|---|---|---|---|---|---|---|---|---|---|
| INC-20260511-0007 EVID-20260511-0007 age: 54d | analysis_completed open | Open | malicious high/ 87.5% confidence: high action: quarantine_or_block_sender | Action required: password expires today IT Helpdesk <it-support@micros0ft-login.example> micros0ft-login.example | alex.reporter@example.test phish-report@example.test <m365-report-0007@example.test> | SPF: failDKIM: noneDMARC: fail rollup: failed | Clickable: 3 Resource: 2 Domains: 2 Short/IDN/IP: 1/1/0 Platform: forms_or_survey, security_wrapper, url_shortener Redirects: 2 · mismatch 1 Infra new/cert/blocked: 1/1/1 Browser form/checks: 1/1 | Count: 1 Reputation: suspicious Masq/Stego: 0/0 | Header domain mismatch; Credential-harvest language; Lookalike sender domain | 20260511_115512_0000_EVID-20260511-0007 queue: 42 2026-05-11T12:04:22Z |
| INC-20260511-0008 EVID-20260511-0008 age: 54d | analysis_completed closed | manual Legitimate vendor invoice from allowlisted sender. soc-analyst@example.test · 2026-05-11T12:19:10Z | benign low/ 8.5% confidence: high action: close_as_benign | Invoice INV-44821 for April services Contoso Billing <billing@contoso.example> contoso.example | maria.sales@example.test phish-report@example.test <m365-report-0008@example.test> | SPF: passDKIM: passDMARC: pass rollup: passed | Clickable: 0 Resource: 0 Domains: 0 Short/IDN/IP: 0/0/0 Platform: - Redirects: 0 · mismatch 0 Infra new/cert/blocked: 0/0/0 Browser form/checks: 0/0 | Count: 1 Reputation: clean Masq/Stego: 0/0 | SPF/DKIM/DMARC passed; Known vendor domain; No suspicious URLs | 20260511_121001_0000_EVID-20260511-0008 queue: 43 2026-05-11T12:19:10Z |
| INC-20260511-0009 EVID-20260511-0009 age: 54d | analysis_running open | Open | spam medium/ 41.2% confidence: medium action: route_to_spam | Limited time renewal discount Newsletter <promo@mailer.example> mailer.example | sam.finance@example.test phish-report@example.test <m365-report-0009@example.test> | SPF: passDKIM: passDMARC: none rollup: mixed | Clickable: 7 Resource: 14 Domains: 3 Short/IDN/IP: 0/0/0 Platform: - Redirects: - · mismatch - Infra new/cert/blocked: -/-/- Browser form/checks: -/- | Count: 0 Reputation: clean Masq/Stego: 0/0 | Bulk marketing footer; List-Unsubscribe present; Link-heavy message | 20260511_122407_0000_EVID-20260511-0009 queue: 44 2026-05-11T12:29:12Z |
| INC-20260511-0010 EVID-20260511-0010 age: 54d | analysis_failed open | Open | unknown critical/ 93.4% confidence: low action: manual_review | Updated employee handbook attached HR Shared Drive <hr-docs@sharepoint-files.example> sharepoint-files.example | nora.hr@example.test phish-report@example.test <m365-report-0010@example.test> | SPF: softfailDKIM: noneDMARC: fail rollup: failed | Clickable: 2 Resource: 3 Domains: 2 Short/IDN/IP: 0/0/1 Platform: - Redirects: - · mismatch - Infra new/cert/blocked: -/-/- Browser form/checks: -/- | Count: 2 Reputation: malicious Masq/Stego: 1/1 | Attachment masquerade detected; DMARC failed; PDF JavaScript flag present LLM endpoint timeout after deterministic scoring; manual review required. | 20260511_123900_0000_EVID-20260511-0010 queue: 45 2026-05-11T12:44:31Z |
| INC-20260511-0011 EVID-20260511-0011 age: 54d | queued_for_analysis open | Open | pending low/ - confidence: pending action: pending_analysis | Shared voicemail transcription Voice Mail <voicemail@pbx.example> pbx.example | devon.it@example.test phish-report@example.test <m365-report-0011@example.test> | SPF: -DKIM: -DMARC: - rollup: pending | Clickable: 0 Resource: 0 Domains: 0 Short/IDN/IP: 0/0/0 Platform: - Redirects: - · mismatch - Infra new/cert/blocked: -/-/- Browser form/checks: -/- | Count: 1 Reputation: pending Masq/Stego: 0/0 | No reasons yet | - queue: 46 2026-05-11T12:52:00Z |
| INC-20260511-0012 EVID-20260511-0012 age: 54d | analysis_completed closed | automatic Closed by policy action: close_as_benign policy:auto-close · 2026-05-11T13:04:10Z | benign low/ 3.5% confidence: high action: close_as_benign | Team lunch reminder Office Ops <office.ops@example.test> example.test | li.ops@example.test phish-report@example.test <m365-report-0012@example.test> | SPF: passDKIM: passDMARC: pass rollup: passed | Clickable: 0 Resource: 0 Domains: 0 Short/IDN/IP: 0/0/0 Platform: - Redirects: - · mismatch - Infra new/cert/blocked: -/-/- Browser form/checks: -/- | Count: 0 Reputation: clean Masq/Stego: 0/0 | All authentication passed; Internal sender; No URLs or attachments | 20260511_125900_0000_EVID-20260511-0012 queue: 47 2026-05-11T13:04:10Z |