The best answer is D. Lock the employee ' s account to prevent further unauthorized access.
If credentials have been exposed in a phishing incident, the most urgent priority is to contain the threat by preventing attackers from using those credentials. Locking or disabling the affected account is an immediate response step that reduces the risk of unauthorized access, lateral movement, privilege abuse, or data theft.
Why the other options are incorrect:
A. Notify all employees about the phishing attack and instruct them to avoid suspicious emails.Awareness messaging may be useful later, but it does not immediately contain the compromised account.
B. Wait for confirmation from the employee before making any changes to the account.Waiting introduces unnecessary risk if the credentials are already exposed.
C. Reimage the employee ' s workstation to ensure no malware is present.Reimaging may be appropriate if malware was delivered, but the question specifically says the employee exposed credentials. The first priority is account containment.
From a Security+ incident response perspective, the immediate action after credential compromise is to disable or lock the account, making D the best answer.
