What is a Reply-Chain Phishing Attack?

Companies had to deal with more than just COVID complications last year as they faced brutal cyber-attacks. In fact, a new type of phishing attack was discovered after the furniture giant IKEA noticed several malicious reply-chain emails making rounds in the company. While IKEA was able to protect itself against the attack, many companies are still unaware of the lurking danger. 

What Is Reply-Chain Phishing?

Reply-chain phishing is a method hackers use to put themselves into legitimate conversations by taking advantage of compromised accounts. 

Unlike spear-phishing where they use fake emails similar to authentic ones, reply-chain phishing involves gaining control of a legitimate email account and using that to carry out their nefarious attack.

They obtain these legitimate emails through different methods. Once they have control of an employee’s email account, they scan through email threads looking for those with the highest chance of landing a victim. After identifying an email thread, they send an email with a malicious link attached as a reply to the thread. 

Once a recipient clicks on the URL, they will unintentionally download malware that will spread through the network. Another tactic is to insert malicious links in out-of-office replies. Both tactics are a way to spread malware. 

The actual owner of the email account doesn’t see the reply in the email chain which means that a reply-chain attack can go unnoticed for some time. 

Reply-chain phishing attacks are hard for employees to notice and react/report. This is because the emails look like they’re from a colleague when it is in fact from a colleague’s account.

How Do Reply-Chain Attacks Work? 

It starts with hackers taking over an email account through techniques like password-spraying, credentials stuffing or credentials dumping. They may even be using an already compromised account. After gaining access to one or more accounts, they monitor email threads for a chance to send malware or compromised links to participants in the email chain.

Reply-chain phishing is very effective since the email parties already trust each other. The hackers do not insert themselves as new participants in the ongoing conversation and they are not trying to spoof another employee’s email account. Instead, they operate from behind a genuine account.

Since the attacker has access to the full thread, they can customize their nefarious message to fit the topic of an ongoing conversation. This, on top of the fact that the recipient likely trusts the sender, massively increases the chance of the victim opening the malicious attachment or clicking a dangerous link.

To simplify it all, let’s say “Taylor’s” account was compromised and the attacker sees that Taylor and Bethanie (and a few other team members) have been discussing a new project campaign. The attacker can take advantage of this conversation to send Bethanie a malicious link to a document/article that appears related to the conversation.

How To Protect Your Business Against Reply-Chain Hacking

There are a couple of ways to protect your company against email chain attacks. They include:

• Make sure that all employees follow best security practices with their email accounts. This includes using multi-factor authentication and setting a secure password.
• Inspect inbox and email settings regularly. Check for rules meant to filter replies to a different inbox and particularly those that weren’t set by the user. If you notice any, immediately contact your IT team.
• If possible, disable all Microsoft Office Macros. Microsoft Office Macros allow users to personalize manual and automatic email replies. Unfortunately, they are a common vehicle for email attacks. 
• Schedule comprehensive training sessions to increase employee awareness and knowledge about cybercrime as well as their responsibility to protect the company.

If an employee notices a reply-chain attack in progress, they should take the following steps: 

• Immediately delete the email from every folder (including inbox, spam and trash).
• Reach out to other members of the email chain through a new email thread or another communication means to inform them of the attack and ask them to delete the thread from their email. 
• Don’t open any other message from the compromised account until the attack has been dealt with.
• Inform your security or managed IT team so they can investigate and make sure the hackers didn’t compromise your systems and data.

Conclusion

With a month and a half left in Q2 2022, it’s important to start beefing up your cybersecurity. This includes informing your employees about the latest methods of attack, carrying out cybersecurity awareness training, arming your IT team and creating an effective strategy to protect your data from such attacks. If it could work on a large corporation like IKEA, imagine how effective it will be on a small-scale business.