🔥 3-day streak
Microsoft Security Operations Analyst64 / 190
Question 64 of 190

During an incident in the Microsoft Defender portal, a user account is flagged after Security Copilot identifies AiTM (adversary-in-the-middle) token theft. The attacker has replayed a stolen session cookie from a foreign IP, and the account shows successful sign-ins that bypassed MFA. You have already confirmed the user as compromised and forced a password reset. Which additional response action is essential to immediately stop the attacker from continuing to use the stolen authentication artifact?

Reviewed for accuracy · Report an issueNext question