explains hijacking an email reply-chain begins with an email account takeover. Hackers take over control of one or more email accounts through password spraying, or an exposed vulnerability, and monitor email threads for an opening to push the malware or malicious link in an ongoing correspondence. The mail exchanges being between known sources and participants, the malicious correspondence is rarely doubted and the malware goes undetected.

“The technique is particularly effective because a bond of trust has already been established between the recipients. The threat actor neither inserts themselves as a new correspondent nor attempts to spoof someone else’s email address. Rather, the attacker sends their malicious email from the genuine account of one of the participants,” blogs SentinelOne.