IncidentsINC-2026-0418
CRITICAL
Suspected hands-on-keyboard intrusion via finance phishing
Status · investigatingOwner · youOpened · 6/27/2026, 6:30:11 AMAlerts · 5Entities · 11
Copilot narrativeverdict: true positive · 87%
Phishing email to m.kowalski → click on invoice-portal-corp[.]co → encoded PowerShell stager → Cobalt Strike beacon to Tor exit → svc_backup lateral RDP to DC-EU-01. Strong kill-chain coherence; verdict: true positive, contain immediately.
T1566.002 · Spearphishing Link/ Initial AccessT1059.001 · PowerShell/ ExecutionT1021.001 · Remote Desktop Protocol/ Lateral MovementT1098.001 · Additional Cloud Credentials/ Persistence
OCSF timeline
normalized- 05:55 AMcls 1001HIGHFile ModifiedFile System ActivityFalco Falco · LIN-SSHKEY-PERSIST-01 · OCSF-ALT-48165-1001device.hostnamelnx-pay-03
- 06:12 AMcls 4001MEDIUMConnection EstablishedNetwork ActivityCorelight Zeek · NET-TOR-EGRESS-01 · OCSF-ALT-48170-4001src_endpoint.hostnameWIN-FIN-0142
- 06:30 AMcls 4009HIGHURL ClickedEmail ActivityProofpoint TAP · EMAIL-LINK-CLICKED-01 · OCSF-ALT-48177-4009actor.user.email_addrm.kowalski@corp.iourl.hostnameinvoice-portal-corp.co
- 07:20 AMcls 3002CRITICALInteractive LogonAuthenticationMicrosoft Defender for Identity · LAT-RDP-DC-01 · OCSF-ALT-48188-3002actor.user.namesvc_backupsrc_endpoint.hostnameWIN-FIN-0142dst_endpoint.hostnameDC-EU-01
- 08:14 AMcls 1007CRITICALProcess LaunchedProcess ActivityCrowdStrike Falcon · EDR-PS-ENCODED-CMD-01 · OCSF-ALT-48201-1007device.hostnameWIN-FIN-0142actor.user.namem.kowalskiprocess.cmd_linepowershell.exe -enc JABzAD0ATgBlAHcALQBPAGIA...process.file.hash.sha256a3f9c8e1b4d2065f9b1e0a4cd91f3e7a82b50d4e6c11f9bda2c84e5fb9f8c21e