A technician is investigating a security incident where a user's corporate email account was accessed from an unknown device. The user's iPhone shows no suspicious apps, and the password was recently changed. Which of the following is the MOST likely cause?
OAuth tokens or app-specific passwords can grant persistent access to email without needing the main password, making them a common vector for continued access.
Why this answer
Option B is correct because OAuth tokens or app-specific passwords bypass the need for the primary password, allowing persistent access even after a password change. Since the user's iPhone shows no suspicious apps and the password was recently changed, a stolen token is the most plausible vector for unauthorized email access via Exchange ActiveSync or modern authentication.
Exam trap
CompTIA often tests the distinction between password-based attacks and token-based persistence, where candidates mistakenly assume that changing the password immediately revokes all access, ignoring OAuth tokens or app-specific passwords that remain valid.
How to eliminate wrong answers
Option A is wrong because iCloud compromise alone does not directly grant access to a corporate Exchange email account unless the email is configured via iCloud Mail or the iCloud Keychain stores the Exchange credentials; the scenario specifies the email is synced via Exchange, not iCloud. Option C is wrong because a jailbreak that hides malicious apps is unlikely to be the cause given the user's iPhone shows no suspicious apps, and jailbreak detection would typically flag such behavior; moreover, hidden apps would still leave traces in system logs or profiles. Option D is wrong because a backdoor account on the corporate email server would be a server-side vulnerability, not a client-side issue, and the question focuses on the user's device and account access; such a backdoor would not be tied to the user's specific password change.