Last Updated on August 6, 2021 by Admin 2
During an investigation, an analyst discovers the following rule in an executive’s email client:
IF * TO <executive@anycompany.com> THEN mailto: <someaddress@domain.com> SELECT FROM ‘sent’ THEN DELETE FROM <executive@anycompany.com>
The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?
- Check the server logs to evaluate which emails were sent to <someaddress@domain.com>
- Use the SIEM to correlate logging events from the email server and the domain server
- Remove the rule from the email client and change the password
- Recommend that management implement SPF and DKIM