A technician is investigating a security incident where a user's corporate email account was accessed from an unknown device. The user's iPhone shows no suspicious apps, and the password was recently changed. Which of the following is the MOST likely cause?
Trap 1: The user's iCloud account was compromised, and the email is synced…
iCloud compromise would affect iCloud services, but corporate email accessed via Exchange typically uses separate credentials.
Trap 2: The user's iPhone has a jailbreak that hides malicious apps.
A jailbreak could hide apps, but the question states no suspicious apps are found, and this is less likely than token theft.
Trap 3: The corporate email server has a backdoor account.
A server backdoor is possible but is a server-side issue, not a mobile OS troubleshooting scenario, and less common than token theft.
- A
The user's iCloud account was compromised, and the email is synced via Exchange.
Why wrong: iCloud compromise would affect iCloud services, but corporate email accessed via Exchange typically uses separate credentials.
- B
An OAuth token or app-specific password was stolen and used to access the account.
OAuth tokens or app-specific passwords can grant persistent access to email without needing the main password, making them a common vector for continued access.
- C
The user's iPhone has a jailbreak that hides malicious apps.
Why wrong: A jailbreak could hide apps, but the question states no suspicious apps are found, and this is less likely than token theft.
- D
The corporate email server has a backdoor account.
Why wrong: A server backdoor is possible but is a server-side issue, not a mobile OS troubleshooting scenario, and less common than token theft.