KT-EMS Phishing

A user reports an email urging immediate payroll changes with a link to a look-alike domain. What should the SOC do FIRST?

Multiple choice — select one answer

Answer choices

  1. a. Quarantine similar messages, block the domain at the gateway, and reset credentials if the user submitted data
  2. b. Wait for three more reports before acting, using shared credentials instead of individual accountability.
  3. c. Forward the email to personal Gmail for storage, using shared credentials instead of individual accountability.
  4. d. Reply-all warning employees not to click, using shared credentials instead of individual accountability.

Architectural breakdown & explanation

Containment (quarantine/block) and credential safety come before broad communication.

Correct answer(s): a. Quarantine similar messages, block the domain at the gateway, and reset credentials if the user submitted data

Exam domain: Phishing (25% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Email Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.