Question 163 of 1,152
Security OperationsmediumMultiple ChoiceObjective-mapped

SY0-701 Security Operations Practice Question

This SY0-701 practice question tests your understanding of security operations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A SOC analyst is investigating an alert triggered when a user clicked a link in an email. The email appeared to be from a trusted vendor and included a PDF attachment with a macro, but the user did not run the macro. Upon reviewing the email headers, the analyst notices that the sender's domain is a common misspelling of the vendor's legitimate domain. Which of the following is the most direct indicator that this email is a phishing attempt?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The misspelled sender domain in the email headers

The misspelled sender domain in the email headers is the most direct indicator of a phishing attempt because it reveals the attacker's use of domain spoofing or a lookalike domain to impersonate a trusted vendor. This is a classic social engineering technique that bypasses the user's visual inspection, and since the user did not run the macro, the macro itself is not an active threat. The email headers provide forensic evidence of the domain mismatch, which is a definitive sign of phishing regardless of user actions.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The macro embedded in the PDF attachment

    Why it's wrong here

    A macro can be malicious, but in this scenario the user did not run it, so it is not an active indicator of the phishing attempt. The presence of a macro is not itself proof of phishing, as legitimate documents may contain macros.

    When this WOULD be correct

    In a scenario where a user reports a suspicious email attachment and the SOC analyst finds that the attachment contains a macro that auto-executes or is known to be malicious, the macro itself would be the direct indicator of a phishing attempt.

  • The misspelled sender domain in the email headers

    Why this is correct

    This is the strongest indicator because it directly shows the email's origin is fraudulent. Attackers register domains that are visually similar to legitimate ones to trick users. The domain mismatch confirms the email is not from the vendor.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The alert generated by the user clicking the link

    Why it's wrong here

    The alert is the event that brought the incident to the analyst's attention, not an indicator of phishing itself. It simply records the user's action, which could happen with a legitimate link as well.

    When this WOULD be correct

    This option would be correct in a question asking: 'Which of the following is the most direct indicator that a user's action has triggered a security incident?' or 'What is the first sign that a security event has occurred?'

  • The email appeared to be from a known vendor

    Why it's wrong here

    Phishing emails often impersonate trusted organizations to gain credibility. However, the email only 'appears' to be from the vendor; the domain misspelling reveals the deception. The appearance alone is not an indicator without supporting evidence.

    When this WOULD be correct

    This option would be correct in a question asking: 'Which social engineering principle is being exploited when an email claims to be from a known vendor to gain trust?' In that context, the appearance of a known vendor directly indicates the use of authority or familiarity.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The SY0-701 exam frequently reuses these exact scenarios with slightly different constraints.

The misspelled sender domain in the email headersCorrect answer

Why this is correct

This is the strongest indicator because it directly shows the email's origin is fraudulent. Attackers register domains that are visually similar to legitimate ones to trick users. The domain mismatch confirms the email is not from the vendor.

The macro embedded in the PDF attachmentWrong answer — click to see why

Why this is wrong here

The macro was not executed by the user, so it is not a direct indicator of phishing in this alert; the misspelled domain is a more immediate red flag.

★ When this WOULD be the correct answer

In a scenario where a user reports a suspicious email attachment and the SOC analyst finds that the attachment contains a macro that auto-executes or is known to be malicious, the macro itself would be the direct indicator of a phishing attempt.

Why candidates choose this

Candidates often associate macros with phishing, but overlook that the macro was not run, making it a potential threat rather than a direct indicator in this context.

The alert generated by the user clicking the linkWrong answer — click to see why

Why this is wrong here

The alert is a consequence of the user's action, not a direct indicator of phishing. The question asks for the most direct indicator that the email itself is a phishing attempt, and the alert is a system response, not a characteristic of the email.

★ When this WOULD be the correct answer

This option would be correct in a question asking: 'Which of the following is the most direct indicator that a user's action has triggered a security incident?' or 'What is the first sign that a security event has occurred?'

Why candidates choose this

Candidates may confuse the alert (the system's detection mechanism) with the actual evidence of phishing, thinking that any triggered alert directly indicates the nature of the threat, rather than understanding that the alert is a result of policy-based detection.

The email appeared to be from a known vendorWrong answer — click to see why

Why this is wrong here

The email appearing to be from a known vendor is not a direct indicator of phishing; attackers often spoof trusted names. The misspelled domain in the headers is the actual evidence of impersonation.

★ When this WOULD be the correct answer

This option would be correct in a question asking: 'Which social engineering principle is being exploited when an email claims to be from a known vendor to gain trust?' In that context, the appearance of a known vendor directly indicates the use of authority or familiarity.

Why candidates choose this

Candidates may think that any email claiming to be from a trusted source is suspicious, but here the question asks for the most direct indicator, and the misspelled domain is more concrete evidence than the mere appearance of a known vendor.

Analysis generated from the official SY0-701blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

CompTIA often tests the distinction between a potential threat (like an unexecuted macro) and an actual indicator of an attack (like a spoofed domain in headers), trapping candidates who focus on the payload rather than the evidence of impersonation.

Trap categories for this question

  • Scenario analysis trap

    A macro can be malicious, but in this scenario the user did not run it, so it is not an active indicator of the phishing attempt. The presence of a macro is not itself proof of phishing, as legitimate documents may contain macros.

Detailed technical explanation

How to think about this question

Email headers contain the 'From' field (RFC 5322) which can be spoofed, but the 'Return-Path' and 'Received-SPF' headers reveal the actual sending domain. In this scenario, the misspelled domain (e.g., 'vend0r.com' instead of 'vendor.com') would fail SPF and DKIM checks if properly configured, but the analyst can directly observe the domain mismatch in the headers. Real-world phishing campaigns often use homograph attacks (e.g., replacing 'o' with '0') to create visually similar domains that bypass user scrutiny but are easily caught by header analysis.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

An employee at a financial services firm receives an email that appears to come from the IT helpdesk, asking them to reset their password via a link. The link leads to a convincing fake portal that harvests credentials. Security teams use phishing simulations and security-awareness training to reduce this attack vector. Questions like this test whether you can identify social engineering techniques and appropriate controls.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The misspelled sender domain in the email headers — The misspelled sender domain in the email headers is the most direct indicator of a phishing attempt because it reveals the attacker's use of domain spoofing or a lookalike domain to impersonate a trusted vendor. This is a classic social engineering technique that bypasses the user's visual inspection, and since the user did not run the macro, the macro itself is not an active threat. The email headers provide forensic evidence of the domain mismatch, which is a definitive sign of phishing regardless of user actions.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SY0-701 practice questions

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.