easy BEC / Email
The Urgent Wire Transfer Your CFO forwards you an email from the CEO asking to urgently wire $180,000 to a new vendor. The CEO is travelling and unreachable by phone. The email address looks correct. What do you do?
4 choices · 1 right answer
medium Cloud / OAuth
The Suspicious OAuth App A developer installs "DataSync Pro" and grants it Mail.ReadWrite and Files.ReadWrite.All permissions. The app has 4 stars. Three weeks later, MDA alerts show unusual Graph API activity. What do you do?
4 choices · 1 right answer
medium Ransomware
Ransomware Alert at 2am Defender XDR fires a critical alert at 2:17am: "Human-operated ransomware — 3 devices compromised, lateral movement to file server in progress, payload staged." Automatic attack disruption has isolated the 3 devices. You are on-call. What do you do first?
4 choices · 1 right answer
medium Insider Risk
The Departing Employee A senior sales rep submits resignation Friday. Monday, Insider Risk Management flags: 8 large SharePoint downloads (3× baseline), one external Teams share blocked by DLP, and a USB copy blocked by Endpoint DLP. HR has not started offboarding. What do you do?
4 choices · 1 right answer
hard Privileged Access
The IT Admin After Hours MDI detects that a global admin account logged into the Azure portal at 2:43am from a new IP and made 14 changes to Conditional Access policies. The admin claims they were asleep. The account had MFA. What happened and what do you do?
4 choices · 1 right answer
hard Third-Party Risk
The Shadow IT Audit MDA reveals 340 cloud apps in use — most never reviewed. 12 apps have a risk score below 4/10, including 3 with a history of data breaches. Two of these breach-history apps have full mailbox access via OAuth. What is your response priority order?
4 choices · 1 right answer