feat: build ai_voice_fraud.kql — AI voice deepfake fraud detection (T1598)

[TFT444]

📋 Overview

Implement a KQL rule to detect AI-generated voice deepfake fraud targeting retail finance teams. Attackers use AI voice cloning to impersonate executives or suppliers over VoIP, tricking staff into authorising fraudulent payments. This is an emerging TTP with growing retail impact in 2025.

🎯 Acceptance Criteria

• File created at detection-rules/ai_voice_fraud.kql
• Mapped to MITRE ATT&CK T1598 in rule metadata
• Correlates VoIP/call log anomalies with subsequent high-value financial authorisation events
• Flags calls from newly registered or spoofed numbers followed by transactions >£5,000
• Integrates with telephony CDR and ERP/finance system log sources
• Severity set to High
• Unit test written in tests/detection-rules/test_kql_rules.py
• Documentation updated in docs/mitre-mapping.md
• PR reviewed and merged to dev

🔗 Related

• MITRE Technique: T1598 — Phishing for Information
• Related files: playbooks/phishing-triage.md, docs/threat-model.md
• Dependencies: VoIP/telephony log connector and ERP connector configured in Sentinel

📚 Resources

• UK NCSC AI threats guidance
• FS-ISAC voice fraud alerts