CompTIA Security+ (SY0-501) — Question 866

Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly.
Which of the following actions should be taken FIRST? (Choose two.)

Answer options

• A. Disable the compromised accounts
• B. Update WAF rules to block social networks
• C. Remove the compromised accounts with all AD groups
• D. Change the compromised accounts' passwords
• E. Disable the open relay on the email server
• F. Enable sender policy framework

Correct answer: E, F

Explanation

The correct actions are E and F because disabling the open relay on the email server prevents further abuse and spam, while enabling sender policy framework helps to authenticate email sources and reduce spam. The other options, such as disabling or removing accounts, while important, do not provide immediate relief for the ongoing spam and account issues.