What should be done in response to a malicious email attachment if the focus is on quick recovery rather than pursuing criminal action?

Immediately disconnecting the affected device from the network is crucial in preventing the spread of the malware that may be contained within the malicious email attachment. This action helps to contain the potential damage by isolating the compromised device from other systems and securing the network from further infiltration or data exfiltration.

By disconnecting the device, you reduce the risk of the malware communicating with external servers, which could facilitate data theft or other malicious activities. This step is particularly important when the priority is on quick recovery, as it allows for immediate action to mitigate further impact before conducting a more thorough investigation or remediation process.

Other actions, such as notifying external authorities, running a full scan of the entire network, or changing all employee passwords, while important in their respective contexts, may not address the immediate need to stop the threat from spreading. These steps often come after the initial containment action is successfully implemented, ensuring that the focus on quick recovery is maintained before transitioning to more comprehensive security measures.