220-1102 Practice Question: A user receives an email that appears to be from…

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

Answer analysis

Why the other options are wrong

Understanding why incorrect options are tempting is as important as knowing the correct answer.

• ✗

  A. Reply to the email to verify the sender's identity.

  Replying could confirm the email address is valid and potentially expose the user to more attacks.

• ✗

  C. Block the sender's email address on the user's mailbox.

  Blocking locally does not prevent the same sender from targeting other users and may not stop future variations.

• ✗

  D. Instruct the user to delete the email and ignore it.

  Deleting without reporting fails to alert the organization to the threat, allowing it to spread.

Technical deep dive

How to think about this question

The core concept being tested here is the appropriate incident response procedure for a detected phishing attempt, emphasizing a centralized and proactive approach. Reporting the email to the IT security team is the paramount first step because it triggers an organizational-level response. Mechanically, this action allows the security team to analyze the malicious email, identify its characteristics (like the 'rn' instead of 'm' in the domain, which is a classic typosquatting tactic), and implement broader protective measures. These measures could include updating email filters to block the sender across the entire organization, issuing company-wide alerts to warn other employees, investigating potential compromises, and even initiating forensic analysis if necessary. This centralized reporting is crucial because phishing attacks are rarely isolated; if one user received it, many others likely did or will soon. The security team possesses the tools and expertise to mitigate the threat beyond a single user's mailbox. This approach differs significantly from the distractor options by shifting the responsibility and capability from an individual user or local technician to a specialized team with a holistic view of the organization's security posture. Replying to the email (Option A) is dangerous as it validates the user's email address to the attacker. Blocking the sender locally (Option C) is insufficient because it only protects one user and does not prevent the attacker from targeting others or using slightly varied sender addresses. Simply deleting the email (Option D) is a passive response that leaves the entire organization vulnerable to the same threat, effectively ignoring a critical piece of threat intelligence that could protect hundreds or thousands of users. Therefore, reporting to the security team is the only option that addresses the threat comprehensively and proactively.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

FAQ

Questions learners often ask

Keep practising

More 220-1102 practice questions

• →A change advisory board (CAB) approved a standard change to update antivirus definitions on all servers. The technician…
• →A company's change management policy requires all server changes to be approved by the Change Advisory Board (CAB). A te…
• →A company is implementing a bring-your-own-device (BYOD) policy and needs to ensure that corporate data on employee mobi…
• →A company requires employees to present both a smart card and a PIN to log into their workstations. Which authentication…
• →A company requires all Windows 10 workstations to be able to join an Active Directory domain. Which edition of Windows 1…
• →A company wants to allow employees to securely access internal resources from home via the internet. Which method provid…