During an investigation, an analyst discovers the following rule in an executive’s email client:
IF * TO <executive@anycompany.com> THEN mailto: <someaddress@domain.com>
SELECT FROM ‘sent’ THEN DELETE FROM <executive@anycompany.com>
The executive is not aware of this rule.
Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?
A . Check the server logs to evaluate which emails were sent to <someaddress@domain.com>
B . Use the SIEM to correlate logging events from the email server and the domain server
C . Remove the rule from the email client and change the password
D . Recommend that management implement SPF and DKIM
Answer: A