New Phishing Tactic: Email Reply-Chain Attack

What is Reply-Chain Phishing and Why is it Dangerous?
18 September 2022 by
New Phishing Tactic: Email Reply-Chain Attack

What's the one word you can't read a cybersecurity article without it coming up? PHISHING!

And that's because phishing is still the number one delivery vehicle for cyberattacks. 

Hackers have stunned again with a slick new twist on the old school phishing techniques. The latest threat that has been making the rounds since the pandemic is the email reply-chain attack

What is an Email Reply-Chain Phishing Attack?

Just about everyone is familiar with reply chains in email. An email is copied to one or more people, one replies, and that reply sits at the bottom of the new message. Then another person chimes in on the conversation, replying to the same email. Soon, you have a chain of email replies on a particular topic.

In a reply chain attack, a hacker gains access to the reply chain conversation by hacking the email account of one of those people copied on the email chain. They will sit back and monitor the emails, from there they can figure out the command chain in the organization, such as who reports to whom, who has access to money, who can authorize wire transfers, and so on. This is similar to a thread hijacking spam. 

Because the conversation is between colleagues who trust each other, the hacker can efficiently and effectively hijack one of the ongoing conversation threads, insert malware typically as an attachment or link and send it to the thread. The attachment or link will go to a malicious phishing site. The site might infect a visitor’s system with malware or present a form to steal more login credentials.

But how does this work? How will the hacker get away with this?

  • They log in to an account (since a reply chain doesn't work without access to a compromised email) and find an incredibly convincing thread, preferably one with links or attachments so that when they send a link or attachment with malware, no one is wiser. 

  • They go into your email rules and set up rules that redirect emails from specific people containing particular words, links or attachments to your trash.

  • They will also set up rules that send any email trying to notify the original account owner that they may have been hacked into the trash, so the original owner of the account remains ignorant of what is happening.

Why Do I Need To Worry About an Email Reply-Chain Attack? 

Even the most cautious and well-trained personnel fall for email reply chain attacks since they are usually well-crafted and free of grammatical errors  common to regular phishing attacks. The fact that the reply is from a legitimate sender, lends credibility to these attacks. This makes even the most cybersecurity aware personnel vulnerable to this technique. 

In 2021, 77% of organizations saw business email compromise (BEC) attacks. This is up from 65% the year before.

Credential theft has become the main cause of data breaches globally. So, there is a pretty good chance of a compromise of one of your company's email accounts at some point. 

Email reply-chain phishing attack is one of the ways hackers turn the business email compromises into money. They either use it to plant ransomware or other malware or to steal sensitive data to sell on the Dark Web.

Tips for Addressing the Email Reply-Chain Phishing

Here are some ways that you can lessen the risk of email reply-chain phishing in your organization.


This reduces the risk that employees will reuse passwords across many apps. It also keeps them from using weak passwords since they won't need to remember them anymore. 


Present a system challenge (question or required code). Using this for email logins from a strange IP address can stop account compromise.


Awareness is a big part of catching anything that may be slightly "off" in an email reply. Many attackers do make mistakes.


This helps to reduce the risk of a hacker gaining entry via a known vulnerability that hasn't yet had an available patch applied to it. 

Protect Your Email Accounts From Being Breached 

If you see a suspicious-looking email, verify its authenticity by contacting the sender, preferably through a phone call. The sender should be able to prove their activity. They should immediately change their password and contact your company's IT team if they say the didn't send the email.


Do you have enough protection in place on your business email accounts to prevent a breach? 

We have email security solutions that can keep you better protected.

Hit the submit button and we would love to help you learn more about staying safe from the latest cyber attacks.

Share this post