northwind-phishing-campaign — two-wave credential lure

what this proves

• all eight phishing-campaign primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (280/280 fleet · 8 for this scenario).
• every output is generated 100% locally in your browser — save .eml, never forward.
• two-wave lure indicators — spf/dmarc failures, shortener chains, mime-mismatch attachment, and obfuscated kit javascript — surface without uploading evidence.

primary engines locked to this fixture

• phishing-header-analyzer
• phishing-url-email-extractor
• email-attachment-scanner
• url-unshortener-chain
• domain-reputation-check
• ioc-extractor
• ioc-deduplicator-normalizer
• javascript-deobfuscator

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for phishing-campaign — no upload.

download the synthetic evidence

MIT-licensed, fully synthetic. includes two-wave .eml set, shortener chain input, lookalike domain list, mixed ioc feed, and obfuscated kit javascript.

built deterministically from scripts/fixtures/build-northwind-phishing-campaign.mjs. seed: northwind-phishing-campaign:v1.

methodology

phishing campaigns are multi-wave — save every .eml first, then walk header analyzer → url extractor → attachment scanner → url unshortener → domain reputation → ioc extractor → ioc deduplicator → javascript deobfuscator. kit fingerprinting confirms the same actor even when domains rotate. read the full phishing campaign investigation guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across wave-one M365 lure, wave-two Apple ID kit, and shared IOC linkage — still zero upload.