A SOC analyst reviews one user account and sees several failed logins from a single IP, then a successful login from the same IP, followed by a new inbox forwarding rule to an external address. Which two findings most strongly suggest account compromise? Select two.

The user authenticated during normal business hours.

Normal hours are expected and do not, by themselves, indicate unauthorized access.

The user accessed email from a corporate laptop.

Known corporate devices are common and usually fit ordinary business use patterns.

The password age is 89 days.

Password age alone does not prove compromise; many accounts remain valid that long.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Repeated failed logins followed by a successful login from the same source IP. — The strongest indicators here are the repeated failed logins followed by a success from the same source IP and the new external forwarding rule. Together, they suggest someone may have guessed or stolen the password and then changed mailbox settings to hide activity or exfiltrate mail. Security analysts often treat this combination as a strong sign of compromise because it shows both suspicious access and post-login behavior that is not normal for the user. Why others are wrong: Normal business hours and a corporate laptop are expected in many environments and do not prove malicious activity. Password age is also weak evidence on its own because many legitimate accounts remain unchanged for months. These items may help provide context, but they are not as strong as the failed-login pattern and the new forwarding rule, which directly point to unauthorized access and possible persistence.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.