Take Corrective Actions to Address Phishing Attacks - SY0-601 Exam

EF.

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.

n a Small Business Server environment, you may have to prevent your Microsoft Exchange Server-based server from being used as an open relay SMTP server for unsolicited commercial e-mail messages, or spam.

You may also have to clean up the Exchange server's SMTP queues to delete the unsolicited commercial e- mail messages.

If your Exchange server is being used as an open SMTP relay, you may experience one or more of the following symptoms: The Exchange server cannot deliver outbound SMTP mail to a growing list of e-mail domains.

Internet browsing is slow from the server and from local area network (LAN) clients.

Free disk space on the Exchange server in the location of the Exchange information store databases or the Exchange information store transaction logs is reduced more rapidly than you expect.

The Microsoft Exchange information store databases spontaneously dismount.

You may be able to manually mount the stores by using Exchange System Manager, but the stores may dismount on their own after they run for a short time.

For more information, click the following article number to view the article in the Microsoft Knowledge Base.

The given scenario describes the aftermath of a phishing attack. The attack has resulted in trouble logging in, an increase in account lockouts, and an increase in spam and social networking requests. Given the large number of affected accounts, remediation must be accomplished quickly. Therefore, the two actions that should be taken first are as follows:

1. Change the compromised accounts' passwords: As the attackers may have already obtained the login credentials of the users, it is essential to change the passwords of the compromised accounts to prevent further unauthorized access. Changing passwords will ensure that the attackers are no longer able to access the compromised accounts and the systems that these accounts have access to.

2. Disable the compromised accounts: Disabling the compromised accounts will prevent further unauthorized access and stop the attackers from using these accounts to perform malicious activities. This step will also reduce the risk of the attackers using the accounts to perform lateral movement within the organization's network.

The other options may also be necessary, but they should not be the first actions taken. For example, updating WAF rules to block social networks may be necessary, but it should not be the first action taken because it does not address the immediate risk of unauthorized access to the compromised accounts. Similarly, removing the compromised accounts with all AD groups and enabling sender policy framework are good security practices, but they do not directly address the current issue. Disabling the open relay on the email server is also a good practice, but it does not directly address the issue of compromised accounts.