Which practice should an incident responder avoid during the containment of email security incidents?

In the context of incident response, particularly during the containment phase of email security incidents, allowing automatic email forwarding to remote domains is a practice that should be avoided. This action can facilitate unauthorized access to sensitive information, as it may enable attackers to receive copies of all emails sent to and from the compromised account. This can further exacerbate the situation by allowing attackers to maintain control over the information exchange and potentially exploit it for malicious purposes.

On the other hand, isolating affected email accounts, changing employee email passwords, and notifying relevant stakeholders are all critical practices that enhance security. Isolating affected accounts helps to prevent further unauthorized access, changing passwords can cut off the attackers' access, and notifying stakeholders ensures that those who need to respond to or be aware of the incident can take appropriate action.