This scenario describes a persistent phishing campaign leveraging spoofed domains and variant-based delivery mechanisms. According to the EC-Council Incident Handler (ECIH) curriculum under Email Security Incident Handling and Eradication, once detection and containment measures (such as blocking malicious IP addresses and purging emails) have been implemented, the eradication phase must focus on eliminating root causes and recurring technical vectors.
The key phrase in the question is “eliminate recurring delivery mechanisms and close technical loopholes.” ECIH emphasizes that phishing campaigns frequently evolve by modifying URLs, sender domains, encoding techniques, and payload structures to bypass simple IP blocking controls. Therefore, security teams must analyze decoded message components, extract malicious URLs, and generate URL-based deny-lists at the secure email gateway, web proxy, and firewall layers.
Creating email-specific URL deny-lists directly disrupts the attack infrastructure and prevents repeated access to malicious domains—even when attackers use variant IP addresses or modified content. This is a technical eradication control aligned with eliminating delivery vectors.
Options B and C (training and simulations) are preventive awareness measures and fall under the preparation or post-incident improvement phase—not eradication. Option A (WHOIS masking) is unrelated to preventing phishing delivery.
ECIH guidance stresses strengthening email filtering rules, updating domain and URL blacklists, implementing SPF/DKIM/DMARC validation, and hardening secure email gateways as core eradication techniques. Therefore, option D best aligns with the eradication objective.
