After noticing unusual behavior in certain employee inboxes, such as unexplained message redirection to unfamiliar...

The EC-Council Incident Handler (ECIH) curriculum explains that email account compromise often involves attackers creating persistent mechanisms such as auto-forwarding rules, mailbox delegation changes, or hidden inbox rules to exfiltrate data even after password resets.

In this scenario, unauthorized message redirection continued despite credential resets and session termination. This strongly indicates the presence of malicious mailbox configuration changes, specifically auto-forwarding rules sending copies of emails to external attacker-controlled addresses.

ECIH emphasizes that eradication requires removal of persistence mechanisms—not just resetting credentials. During email security incident eradication, responders must review mailbox rules, forwarding settings, API tokens, and delegated access permissions. Attackers frequently create hidden rules to maintain access to sensitive communications.

Option A (auditing logs) supports investigation but does not eliminate persistence. Option B (credential resets) is a containment measure already performed but insufficient alone. Option C (client advisory messages) is part of communication management, not technical eradication.

Deleting malicious auto-forwarding rules directly neutralizes the attacker’s ongoing access channel and aligns with ECIH’s guidance on removing unauthorized configurations, validating account integrity, enforcing MFA, and auditing cloud email security settings.

Therefore, deleting malicious auto-forwarding rules is the most appropriate eradication step in this scenario.