🔥 3-day streak
CompTIA CySA+ (CS0-003)61 / 147
Question 61 of 147

A SOC analyst reviews an incident where an attacker gained a foothold on an internal workstation. Investigation shows the user received an email with a link to a legitimate-looking cloud document portal. When the user entered credentials, they were captured, and the attacker later used those credentials to log in through the company's external VPN portal. The analyst is documenting the intrusion using the MITRE ATT&CK framework. Which technique best describes how the attacker obtained the credentials used for the initial foothold?

Reviewed for accuracy · Report an issueNext question