You are responding to a phishing incident. The investigation reveals that a user clicked a link in a phishing email and entered credentials on a fake site. You need to contain the incident and prevent further compromise. What should you do first?
This invalidates the stolen credentials and existing sessions.
Why this answer
Option D is correct because resetting the compromised user password immediately prevents further access using stolen credentials. Option A is wrong because blocking the URL does not invalidate already stolen credentials. Option B is wrong because deleting the email from the user's mailbox does not prevent use of stolen credentials.
Option C is wrong because reporting the site to Microsoft is reactive.