Exam 212-89 Topic 4 Question 114 Discussion
Actual exam question for EC-COUNCIL's 212-89 exam
Question #: 114
Topic #: 4
Question #: 114
Topic #: 4
Lena, a SOC analyst, observes a pattern of unusual login attempts originating from multiple foreign IP addresses tied to shared drive links circulating within the organization. These links were embedded in emails appearing to come from the HR department and marked with urgent subject lines. Upon deeper inspection, Lena finds multiple similar messages still pending in the mail server's delivery queue. To prevent widespread exposure, she takes immediate action to eliminate these messages before they reach employees' inboxes.
Which incident response action best describes Lena's action?
Which incident response action best describes Lena's action?
Suggested Answer: A Vote an answer
This scenario demonstrates a preventive containment action during an email security incident. The ECIH Email Security Incident Handling module emphasizes that once phishing is identified, responders should immediately prevent further delivery to reduce organizational exposure.
Option A is correct because Lena removes malicious emails from the mail server's delivery queue before users receive them. This action directly reduces risk by preventing additional users from clicking malicious links or submitting credentials. ECIH identifies email purging as a critical containment technique during active phishing campaigns.
Option B is an investigative action, not containment. Option C applies after delivery and compromise. Option D addresses already compromised accounts rather than preventing exposure.
By stopping malicious emails before delivery, Lena aligns with ECIH best practices for rapid containment of email-based threats.
Option A is correct because Lena removes malicious emails from the mail server's delivery queue before users receive them. This action directly reduces risk by preventing additional users from clicking malicious links or submitting credentials. ECIH identifies email purging as a critical containment technique during active phishing campaigns.
Option B is an investigative action, not containment. Option C applies after delivery and compromise. Option D addresses already compromised accounts rather than preventing exposure.
By stopping malicious emails before delivery, Lena aligns with ECIH best practices for rapid containment of email-based threats.
by Herbert at Jun 22, 2026, 08:19 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).