Exam CS0-003 topic 1 question 96 discussion

How interesting that after stressing the importance of gathering intelligence before making a decision on what is occuring, CompTIA then asks us to make an assumption about what is happening based on vague and limited information and with no intelligence gathering first. Which of the following is likely true? Well... do we know what the URL is for resetting a password? No. Do we know which user, or what the user did before making the request to this website? Also no. Next time you forget your password and a link is sent to your email to reset it look at the URL that you go to. It wont be the same as the login pages URL. It could be either A or D but, again, CompTIA refuses to give us enough information.

The URL "https://office365password.acme.co" does not match the standard VPN logon page "www.acme.com/logon,"

No one in the comment section describes one thing: a mismatched domain name. One is *.acme.co and *.acme.com. So, they are identical but not from the same host. "m" is missing on the suspicious one.

D. A social engineering attack is underway. The scenario you describe, where outbound traffic is going to a host IP that resolves to a domain similar to "office365password.acme.co," while the standard VPN logon page is "www.acme.com/logon," suggests a potential social engineering attack. Attackers often create deceptive domains that mimic legitimate ones to trick users into revealing sensitive information such as usernames and passwords. In this case, the similarity in domain names raises suspicion that it could be an attempt to phish login credentials from employees. Security analysts should investigate and take appropriate measures to mitigate the threat.