Reply-Chain Phishing: The Attack Hidden Inside a Conversation You Trust

It is mid-morning and one of your staff opens an email. It is part of a thread they have been following for a few days - colleagues discussing a client matter or a proposal going back and forth. Someone in the chain has sent a reply with a link to a shared document. The name is familiar. The context makes sense. They click it.

That is how a reply-chain phishing attack works. It does not arrive as a suspicious cold email from an unknown sender. It lands inside an active conversation your team is already participating in, sent from an address they recognise and trust. Most people have been trained to look out for odd emails from strangers. Far fewer are watching for something that looks like a normal reply from a colleague.

The way attackers get into that conversation is straightforward. They compromise one person's email account - often through a reused or weak password, or through credentials stolen in an earlier breach elsewhere. Once inside, they can read the entire thread, understand the context, and craft a reply that fits naturally. They know the names of the people involved. They know what is being discussed. Their message does not need to be clever. It just needs to be plausible, and that is usually enough.

Business email compromise - where an attacker gains access to a legitimate email account and uses it to cause harm - is not a rare event. It is one of the more common ways that businesses end up dealing with ransomware, stolen client data, or fraudulent payment instructions. The reply-chain attack is a particularly effective version because it exploits the trust already built inside your team's communications. By the time anyone realises something was wrong, the damage is often done.

What does good protection look like? It starts with making it much harder for an attacker to get into an email account in the first place. That means multi-factor authentication on every email account - a second verification step that stops a stolen password from being enough on its own. It means a password manager so staff are not reusing the same credentials across different services. And it means regular, practical awareness training so people know to pause before clicking a link, even in a familiar thread.

It also means having someone actively monitoring your email environment. Attackers who get inside an account often sit quietly for days before acting, reading through past messages to make their intervention more convincing. Good email security monitoring can detect unusual account behaviour - logins from unexpected locations, forwarding rules that have appeared without explanation - before those accounts are used to attack anyone else.

The practical step is to treat email account security as something your business actively maintains, not something you set up once and leave. Passwords should be unique and managed properly. Multi-factor authentication should be on by default. Staff should know what to do if they suspect an account has been accessed - and who to call. If a breach does occur, CERT NZ at cert.govt.nz is the right first call for guidance on containment and reporting.

If you are not sure how well your email accounts are protected right now, ITstuffed offers a 15-minute IT Fit Check at /booking - a quick conversation to identify where the gaps are before an attacker finds them.