The SOC has contained a mailbox compromise by resetting the password and revoking active sessions. Investigation shows the attacker created an automatic forwarding rule and added an OAuth consent grant. What should happen next to eradicate the threat?

Notify all employees to be more careful with email before taking any technical steps.

Awareness messaging is useful later, but it does not remove attacker persistence from the account.

Delete the mailbox and create a new account for the user immediately.

Deleting the mailbox can cause unnecessary data loss and is not the preferred eradication step.

Restore the user's messages from backup and reopen access without further review.

Restoring mail content alone does not remove attacker access, hidden rules, or malicious application grants.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Remove the malicious forwarding rule and review or revoke suspicious OAuth app grants. — After containment, the analyst should eradicate the compromise by removing attacker-created persistence such as forwarding rules and suspicious OAuth grants. Those artifacts can continue to leak mail or allow future access even after a password reset. Proper eradication also includes reviewing mailbox audit logs and delegated permissions to ensure the account is clean before service is restored and the user resumes normal work. Why others are wrong: A is a support action, not eradication. B is overly destructive and can create unnecessary data loss when targeted cleanup is possible. D focuses on recovery content rather than removing attacker control. The key is to eliminate the mechanisms the attacker used to maintain access.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.