212-89 Practice Questions

A large multinational enterprise recently integrated a digital HR onboarding system to streamline applicant submissions and document collection. During a cybersecurity audit, it was revealed that attackers had set up a phishing site mimicking the official HR document submission portal. Several employees and new hires uploaded their resumes and downloaded pre-filled form templates, believing them to be legitimate. Upon opening the downloaded Word documents, the system silently connected to external servers and fetched additional template data without any user consent or visible macro execution warnings. This bypassed email gateway filters and endpoint antivirus tools, leading to lateral malware spread across systems used by HR, finance, and legal departments.

Digital forensic analysis showed that the documents did not contain visible scripts or macros but relied on hidden structural definitions to retrieve malicious payloads dynamically from attacker-controlled servers. Which of the following web-based malware distribution techniques best explains the observed behavior?

A global logistics company recently experienced a targeted ransomware attack that began through a deceptive email campaign. The malicious software encrypted critical files on several systems tied to dispatch and finance operations. Fortunately, the organization had deployed an advanced security setup that could swiftly recognize abnormal behaviors, isolate compromised devices, and alert both the technical support desk and the security operations team.

In parallel, system logs were captured and analyzed using integrated threat detection tools, and a detailed file was automatically created with relevant data such as affected assets, user activity, and potential entry points. Security analysts then assessed the case, adapted containment measures based on the affected departments, and continued tracking suspicious activity across the network. Additional countermeasures were executed based on a mix of pre-approved workflows and expert decisions, ensuring the issue was contained without major disruption. Which combination of technologies is MOST likely supporting this workflow?

ThetaTec, a global fintech giant, identified that an employee was siphoning off funds using a sophisticated method undetectable by traditional monitoring tools. The firm decided to employ advanced techniques to detect such hidden insider threats. What should be its primary focus?

Which of the following is defined as the identification of the boundaries of an IT system along with the resources and information that constitute the system?

During the process of detecting and containing malicious emails, incident responders

should examine the originating IP address of the emails.

The steps to examine the originating IP address are as follow:

1. Search for the IP in the WHOIS database

2. Open the email to trace and find its header

3. Collect the IP address of the sender from the header of the received mail

4. Look for the geographic address of the sender in the WHOIS database

Identify the correct sequence of steps to be performed by the incident responders to

examine originating IP address of the emails.

Allan performed a reconnaissance attack on his corporate network as part of a red-team activity. He scanned the IP range to find live host IP addresses. What type of technique did he use to exploit the network?

Which of the following best describes an email issued as an attack medium, in which several messages are sent to a mailbox to cause overflow?

After a recent upgrade, users of Trend Spot encountered slow website load times. Analysis revealed attackers flooding the application with fake search requests, causing an application-layer DoS attack. How should Trend Spot primarily respond?

A multinational consultancy firm recently conducted a mobile security awareness session after noticing repeated incidents of suspicious activity on corporate-linked Android devices. During the session, IT discovered that several employees had been sideloading APK files from unofficial third-party websites to access premium apps for free. These unauthorized installations introduced malware that compromised login credentials, triggered unauthorized data exfiltration, and bypassed existing security filters. Further investigation revealed that the company lacked enforcement of application certification checks on enrolled Android devices, and employees were unaware of the risks of using unverified sources. What security control should be prioritized to prevent such behavior in the future?

In the wake of a sophisticated cyber attack at a global financial institution involving encrypted data exfiltration, an incident handler must preserve volatile memory for forensic investigation. What should be the incident handler's immediate action?