A security engineer is reviewing log files after discovering usernames and passwords for the organization’s accounts. Which type of attack is MOST likely indicated by an IP address change lasting eight hours?

The scenario describes a situation where a security engineer finds usernames and passwords, coupled with an observation of an IP address change lasting eight hours. This suggests a form of compromise that is related to the Domain Name System (DNS).

DNS poisoning involves corrupting the DNS cache, which misleads users to connect to a malicious IP address instead of the legitimate one. If the IP address has changed for an extended period, such as eight hours, it indicates that a potentially malicious entity has taken control of the DNS resolution process. This could allow the attacker to intercept communications or redirect users to fraudulent sites where they might unknowingly provide sensitive information, such as usernames and passwords.

In contrast, other options presented involve different attack vectors. A man-in-the-middle attack generally refers to intercepting communications between two parties without necessarily changing DNS entries. Spear-phishing is a targeted email attack aiming to trick specific individuals into divulging information or installing malware, without directly altering IP addresses over an extended timeframe. An evil twin attack typically involves creating a rogue Wi-Fi access point to intercept data but does not inherently involve prolonged changes to an IP address in the same way as DNS poisoning does. Thus, in the context of this question, the scenario indicates that DNS poisoning is the most