London: (519) 672-0900 Kitchener: (519) 772-2525


What Are Reply-Chain Phishing Attacks?

By Chris Boudreau | June 20, 2022

Nowadays, even a non-expert is getting trained to identify phishing attacks. This has made hackers get more creative. Hackers have devised a new twist to counter the old phishing strategies when things were starting to quiet down. The reply-chain phishing attack!

Unlike the typical phishing attacks that deceived users using a forged address, the reply-chain attack hijacks email conversations to include malicious links into an already existing mail conversation.

In 2021, a leading furniture retailer, IKEA, fell victim to the activities of fraudulent individuals. The hackers compromised multiple parts of the organization due to employees being fooled by this type of attack email. Incredible? As surprising as it may seem, cybercriminals do not need to gain direct access to your inbox before compromising your information. The reply-chain phishing attack can take even the most prepared organization unawares. 

Here, we will look into reply-chain phishing attacks, how they work, and the best ways you can protect your organization.

What Are Reply-chain Phishing Attacks?

Reply-chain phishing attacks are also known as hijacked reply email chains or thread hijack spamming. It is an email phishing attack where the cybercriminals attempt to take over the email and domain of an organization. When an uninformed person clicks on a link in the hacker’s reply, it can lead to malware being released throughout the network.

How do Reply-Chain Attacks Work?

The first step cybercriminals take in carrying out a reply-chain attack is to hijack your email account. These criminals achieve their aim by relying on techniques such as credential stuffing or a compromise made through a phishing site.  

As soon as these criminals get a hold of these email accounts, they monitor email conversations. It gives them ample time to send malware to any person participating in the email reply chain. 

This technique is prevalent because the participants in the email conversations have developed trust in each other. Surprisingly, the cybercriminal does not get involved in the discussion or even attempt to imitate another participant’s email address. Instead, the hacker uses one of the participants’ email addresses to send out their malicious links.

Since the hacker is involved in the email conversations, it is always effortless to send malicious links that fit the context of the conversation. The hacker uses an alternate inbox to get messages to keep the manipulated email account owner ignorant of the activities.

Why are reply-chain phishing attacks so dangerous?

Reply-chain phishing attacks are not the same as spear-phishing attacks. With the latter, it is often easier to spot an unusual email coming in. Many companies provide awareness training on these one-off phishing emails to make it possible for employees to reduce the risk. 

Unfortunately, this is not the same for reply-chain phishing attacks, where language errors are mostly minimized because the person is replying to an ongoing conversation. In addition, the fact that the links are sent using the emails of legitimate senders makes even the most trained staff vulnerable to this attack.

How Can You Protect Your Business from Reply-Chain Phishing Attacks?

Given that the attack comes from a legitimate source, it is always tricky to spot a reply-chain email, especially if it involves a long thread of participants. Fortunately, there are several ways that you can protect your business from these unpleasant activities. They include:

  • Ensure that all your accounts use efficient security practices: Reply-chain attacks rely on compromising accounts. But you can enforce the use of multiple-factor authentication or strong passwords to protect all your accounts. 
  • Train your employees to review mail forwarding settings: Teach your employees to inspect their email settings and ensure that no email or message is being forwarded from their email accounts. If they notice any suspicious activities, employees must report them to IT.
  • Disable office macros as soon as possible: Office Macros are a common attack vector. It encourages its users to personalize all email replies. As such, it makes it possible for hackers to include malicious attachments.
  • Empower your employees: It is essential to encourage your employees’ awareness training for your staff and educate them on how reply-chain attacks work. Interestingly, it will help email users understand the various phishing techniques hackers use. 
  • Protect your endpoints: You have to protect your endpoints with a secured EDR security solution. It is necessary to use a reliable Endpoint Detection Response (EDR) to protect your business. If the hacker succeeds in hacking the email, the EDR can prevent the code from being executed and affecting the business organization.

Cybercriminals are increasingly making use of reply-chain phishing attacks. We can help you control all aspects of your cyber environment and prevent reply-chain phishing attacks on your business. Contact us; we have you covered.

Committed to your success, we’ll get you ready to run your business with less effort and more impact.

Let's Talk