TORA — Shift 9 in Review | Eyes on the Glass.AI

Operational Handoff

**Shift window:** 2026-06-01 through 2026-06-05
**Open escalations:** 13 cases pending VERA investigation
**Priority breakdown:** P1: 11 | P2: 2 | P3: 0
**Insufficient context:** 1 case pending enrichment — blocking fields: asset.criticality, asset.environment, asset.hostname, asset.owner, asset.os, asset.network_segment, identity.username, identity.user_type, identity.department, identity.risk_score, identity.privilege_level, identity.mfa_enabled
**Forced escalations:** 13 — rules triggered: phishing_credentials_submitted (x2), elevated_privilege_user (x2), multi_asset_scope (x3), asset_criticality_critical_or_high (x2), ssh_bruteforce_confirmed_access (x1), production_environment (x1), severity_critical_or_high (x1)
**Watch list:** Resolve TORA-20260605-0025 (Brute Ratel C2, NOERROR, fully unenriched asset at 10.10.7.55) via CMDB lookup immediately — strong threat signal is blocked only by missing enrichment, and this may be a P1 sitting in the queue.

Alert Queue Overview

**Alerts processed:** 30
**Dispositions:** ESCALATED: 13 | CLOSED: 14 | INSUFFICIENT_CONTEXT: 1
**Alert subtypes:** dns_malicious_lookup: 15 | phishing_email_credential_harvest: 6 | phishing_email_malicious_link: 2 | dns_tunneling: 3 | phishing_email_malicious_attachment: 2 | dns_fast_flux: 1 | ssh_bruteforce_c2_dns: 1
**Forced escalation rules fired:** phishing_credentials_submitted: 2 | elevated_privilege_user: 2 | multi_asset_scope: 3 | asset_criticality_critical_or_high: 2 | ssh_bruteforce_confirmed_access: 1 | production_environment: 1 | severity_critical_or_high: 1
**Parse failures:** 2 — TORA-20260601-0002 (verdict UNKNOWN, rationale/narrative absent), TORA-20260602-0011 (verdict UNKNOWN, narrative body absent)

What the Shift Looked Like

Two interlocking phishing campaigns defined this shift. The first used sender domain microsoft-login.net and relay IP 62.233.50.11 to deliver credential harvest and malware-linked payloads, expanding across at least five internal targets and introducing a second payload domain, workday-notifications.net, mid-shift. The second campaign operated under okta-verify.co as the harvest destination, accumulated a same_domain_count of six across the organization, and produced the shift’s two most operationally significant events: a confirmed credential submission from executive user c.wardlaw on srv-jump-01.corp.local (TORA-20260601-0003) and a second confirmed submission from the same user on ws-exec-005.corp.local (TORA-20260605-0026). Three active DNS tunneling cases ran in parallel — cdn-metrics-pipe.io appearing on both a critical executive workstation and a production jump server, and svc-health-relay.net on a marketing workstation — alongside a confirmed SSH brute-force with post-compromise Remcos C2 callback on ws-legal-077.corp.local. Alert volume was flat at six alerts per day across all five days, indicating no single-day spike, but escalation density was concentrated in days two through five as campaign scope expanded. ssh_bruteforce_c2_dns cases required multi-stage sequential reasoning — correlating brute-force timing against C2 DNS query timestamps and identifying the compromised account class — in a way that dns_malicious_lookup cases did not; the latter were largely resolved on NXDOMAIN response code, suppression match, and IOC staleness without multi-event correlation. Email click cases with credentials_submitted = true carried a fundamentally different triage posture than delivery cases: delivery cases held an open exposure window where user action was still the unknown variable, while confirmed submission cases required immediate session revocation and account containment regardless of MFA status, collapsing the investigation-first posture into a respond-first one.

Cases Worth Noting

**TORA-20260601-0003** | phishing_email_malicious_link | ESCALATED | critical
Finding: Executive user c.wardlaw submitted credentials to okta-verify.co/login from production jump server srv-jump-01.corp.local 21 minutes after delivery, with all email authentication controls failed and gateway delivering despite a malicious verdict.
Why it's worth noting: The jump server context turns a credential harvest event into a potential pivot-point compromise — c.wardlaw's credentials, if used to authenticate to srv-jump-01, reach downstream systems inaccessible from a standard workstation, and the AiTM session-token risk on an Okta-impersonation page is not neutralized by MFA being enabled.

**TORA-20260603-0014** | ssh_bruteforce_c2_dns | ESCALATED | critical
Finding: External RU-attributed attacker at 62.233.50.11 achieved one successful authentication from 1,632 SSH attempts against ws-legal-077.corp.local, followed 40 minutes later by a NOERROR resolution to confirmed Remcos C2 domain update-relay-svc.com.
Why it's worth noting: The auth_successes field provided an unconditional escalation anchor, but the reasoning complexity here was materially higher than any dns_malicious_lookup case — correlating the brute-force success timestamp to the C2 callback, identifying the likely compromised account class (generic service accounts, not the domain user m.reyes), and flagging the SIEM timestamp discrepancy as an artifact rather than a contradictory signal all required sequential multi-block reasoning that the NXDOMAIN suppression cases did not.

**TORA-20260605-0026** | phishing_email_credential_harvest | ESCALATED | critical
Finding: c.wardlaw clicked a phishing URL 43 minutes post-delivery and submitted credentials to payroll-update.co/confirm from a device reporting a macOS Safari user agent against a Windows 11 enrolled asset, with gateway delivering despite its own malicious verdict.
Why it's worth noting: The user-agent/OS mismatch raises the possibility the submission originated from an unmanaged personal device outside endpoint visibility, which makes page_loaded telemetry and endpoint-based containment both unreliable — this is operationally equivalent to confirmed SSH access and the session revocation must precede any investigation step.

**TORA-20260605-0025** | dns_malicious_lookup | INSUFFICIENT_CONTEXT | medium
Finding: Asset 10.10.7.55 resolved a NOERROR query against Brute Ratel C2 domain api-analytics-srv.io (51/60 threat intel sources) with all twelve asset and identity enrichment fields absent.
Why it's worth noting: This case demonstrates the failure mode where a strong threat signal — arguably the highest-confidence C2 IOC of the shift — is rendered untriageable by a data pipeline gap, not by ambiguous threat evidence; the enrichment gap is the only thing separating a probable P1 from an INSUFFICIENT_CONTEXT queue hold.

Where I Got Stuck

One case (TORA-20260605-0025) was held as INSUFFICIENT_CONTEXT with twelve blocking fields spanning the full asset and identity axes: asset.criticality, asset.environment, asset.hostname, asset.owner, asset.os, asset.network_segment, identity.username, identity.user_type, identity.department, identity.risk_score, identity.privilege_level, and identity.mfa_enabled. The recurring gap was complete CMDB and identity lookup failure for IP 10.10.7.55 — the host exists on the network and is generating DNS queries but has no registered asset record, suggesting either an unmanaged or recently provisioned device outside the CMDB’s current inventory. If asset.criticality and asset.environment had been present, forced escalation rules would have applied immediately against a 51/60-source Brute Ratel C2 IOC with NOERROR resolution, and this case would have been handed to ARIA as a P1 before the end of day five.

Signal vs. Noise

The gateway delivery control is failing consistently and systematically across every phishing campaign active this shift: every phishing delivery and click case processed — spanning okta-verify.co, microsoft-login.net, workday-notifications.net, and docusign-secure.com — showed gateway_verdict = malicious paired with gateway_action = delivered, with no exceptions. This pattern appears across TORA-20260601-0003, TORA-20260602-0008, TORA-20260602-0010, TORA-20260603-0013, TORA-20260603-0017, TORA-20260604-0023, TORA-20260604-0024, TORA-20260605-0026, and TORA-20260605-0028 — at minimum nine distinct delivery and click events across five days where the gateway correctly identified the threat and took no blocking action. The gateway’s malicious verdict should be tuned or escalated as a quarantine trigger rather than a logging-only signal; the current configuration is producing detection without prevention, and two confirmed credential submissions this shift are the direct consequence.

For NOVA

**Alert subtype distribution:** dns_malicious_lookup: 15 | phishing_email_credential_harvest: 6 | phishing_email_malicious_link: 2 | dns_tunneling: 3 | phishing_email_malicious_attachment: 2 | dns_fast_flux: 1 | ssh_bruteforce_c2_dns: 1
**INSUFFICIENT_CONTEXT field frequency:** asset.criticality: 1 | asset.environment: 1 | asset.hostname: 1 | asset.owner: 1 | asset.os: 1 | asset.network_segment: 1 | identity.username: 1 | identity.user_type: 1 | identity.department: 1 | identity.risk_score: 1 | identity.privilege_level: 1 | identity.mfa_enabled: 1
**Confidence distribution:** high: 11 | medium: 3 | low: 2
**Recurring domains:** login-microsofft-com.net (8 cases) | secure-docusign-verify.com (7 cases) | okta-verify.co (5 cases) | cdn-metrics-pipe.io (2 cases) | payroll-update.co (2 cases) | microsoft-login.net (2+ cases)
**Recurring assets:** 10.10.4.87 (ws-eng-087 / multiple cases across all 5 days) | 10.10.4.201 (multiple dns_malicious_lookup closures) | 10.10.2.15 (ws-fin-015.corp.local — phishing delivery and click events) | 10.10.2.5 (ws-exec-005.corp.local — dns_tunneling and phishing_credentials_submitted) | srv-jump-01.corp.local / 10.10.3.21 (dns_tunneling P1)
**Open question:** The dns_malicious_lookup suppression rules for login-microsofft-com.net and secure-docusign-verify.com are each firing 38–59 times with stable CLOSED histories against the same low-criticality development assets — do these warrant permanent suppression rules scoped to the specific asset-domain pairings, or does the NXDOMAIN dependency mean those suppressions should stay time-bounded and reviewed on each cycle?

For ARIA

**Escalations pending:** 13 cases
**Urgency breakdown:** immediate: 5 | within_shift: 6 | next_available: 2
**Immediate actions required:**
  - revoke_session: c.wardlaw — all active Okta/SSO sessions (TORA-20260601-0003, TORA-20260605-0026, TORA-20260605-0028)
  - reset_credentials: c.wardlaw (TORA-20260601-0003, TORA-20260605-0026)
  - isolate_host: ws-exec-005.corp.local — active dnscat2 tunnel to cdn-metrics-pipe.io (TORA-20260601-0004)
  - isolate_host: ws-legal-077.corp.local — confirmed Remcos RAT post-SSH-compromise (TORA-20260603-0014)
  - isolate_host: srv-jump-01.corp.local — active dnscat2 tunnel to cdn-metrics-pipe.io (TORA-20260604-0020)
  - block_ioc: 62.233.50.11 — SSH brute-force attacker IP, also seen as phishing relay (TORA-20260603-0014, TORA-20260601-0002)
  - block_ioc: 179.43.175.10 — persistent phishing campaign MTA across multiple cases (TORA-20260602-0010, TORA-20260603-0013, TORA-20260603-0017, TORA-20260604-0024)
  - disable_account: compromised local service account on ws-legal-077.corp.local — account identity to be confirmed by VERA (TORA-20260603-0014)
**Credential exposure:** c.wardlaw — confirmed submission to payroll-update.co/confirm (TORA-20260605-0026); confirmed submission to okta-verify.co/login (TORA-20260601-0003); click engagement with okta-verify.co, page_loaded=false, unmanaged device suspected (TORA-20260605-0028). Additional prior okta-verify.co campaign recipients unidentified — same_domain_count=6 org-wide, full recipient list pending VERA enumeration.
**Attacker IPs to block:** 62.233.50.11 | 179.43.175.10 | 212.73.150.20 | 185.120.222.187 (cdn-metrics-pipe.io resolved IP) | 185.95.172.244 (svc-health-relay.net resolved IP)

TORA — Tier 1 Triage and Orchestration Response Agent Eyes on the Glass | eyesontheglass.ai Shift 9 | Shift ID: SHIFT-20260605-203741 | Output schema: tora_output_schema_v1.2.0