Traditional phishing relies on starting new conversations. But sophisticated attackers have found something far more effective: inserting themselves into conversations that already exist. This technique, known as reply-chain phishing or thread hijacking, has seen a 312% increase in the past year alone.

What Is Reply-Chain Phishing?

Reply-chain phishing occurs when attackers gain access to a legitimate email account and use existing conversation threads to launch attacks. Instead of starting a new email with "Hello, I'm from IT support," they reply to an ongoing thread about the quarterly budget, the office renovation, or last week's client meeting.

Why it's dangerous: Your brain is already primed to trust this conversation. You've been participating in it. The context, timing, and participants all appear legitimate because they are—the attacker has simply inserted themselves into a real dialogue.

How Attackers Hijack Email Threads

The attack typically follows a three-stage process:

Stage 1: Initial Compromise

Attackers first gain access to an email account through credential stuffing, malware, or a successful phishing attack on a less security-conscious employee. This compromised account becomes their launchpad.

Stage 2: Reconnaissance

The attacker spends days or weeks reading through emails, understanding ongoing projects, identifying key relationships, and learning the communication style of the account owner. They look for:

Active vendor relationships — Invoices pending, contracts being negotiated
Internal processes — How wire transfers are approved, who signs off on purchases
Communication patterns — Tone, common phrases, typical response times
High-value targets — CFOs, accounting teams, executives with approval authority

Stage 3: The Insertion

The attacker finds an opportune thread—perhaps an ongoing conversation about an upcoming payment—and inserts a reply that seamlessly continues the dialogue. They might "clarify" banking details, request an "urgent" wire transfer to a new account, or share a "contract" that contains malware.

Real-world example: A company's CFO receives what appears to be a reply from their legal counsel regarding an acquisition. The thread contains weeks of legitimate discussion. The "lawyer" now asks for a $50,000 retainer to be wired to a new account due to "audit requirements." Everything looks perfect—the history, the signatures, the context. Only the bank account is wrong.

The Psychology of Why It Works

Reply-chain phishing bypasses many of our natural defenses because it exploits fundamental cognitive biases:

Contextual Trust

When you see an email thread you've been participating in, your brain immediately categorizes it as "safe" based on the conversation history. The attacker doesn't need to establish credibility—they've inherited it from the legitimate participants.

Pattern Completion

Humans are wired to complete patterns. When you see an email that logically continues a conversation, your brain fills in the gaps and assumes legitimacy rather than scrutinizing the new message.

Authority by Association

If an attacker replies from a CEO's compromised account, they don't just impersonate the CEO—they become the CEO in the context of that conversation thread. All previous exchanges now vouch for their identity.

Red Flags: How to Spot Thread Hijacking

Despite its sophistication, reply-chain phishing leaves telltale signs:

1. Sudden Topic Changes

Be wary when a conversation about the office party suddenly shifts to wire transfer instructions. Legitimate participants usually stay on topic or create new threads for unrelated matters.

2. Urgency Injections

Pay attention when "ASAP" or "urgent" suddenly appears in a conversation that was previously moving at a normal pace. Attackers use manufactured urgency to bypass critical thinking.

3. Email Address Discrepancies

The display name might match, but check the actual email address carefully. A reply from sarah.chen@company.com might actually come from sarah.chen@company-secure.com or sarah.chen@company-mail.com.

4. Timing Anomalies

Note unusual response times. If a colleague who typically responds during business hours suddenly sends urgent financial requests at 3 AM, verify through another channel.

5. Slight Tone Shifts

Attackers can mimic writing styles, but subtle differences emerge. Look for changes in formality, unusual punctuation habits, or phrases the real sender wouldn't typically use.

Advanced Detection Techniques

For organizations looking to defend against reply-chain attacks:

Email Authentication (SPF, DKIM, DMARC) — While thread hijackers often use legitimate compromised accounts, these protocols can catch lookalike domains
Behavioral Analytics — Flag emails that contain financial terms but originate from accounts that don't typically handle payments
Reply-Path Analysis — Monitor for replies that include new participants not in the original thread
Attachment Sandboxing — Always scan attachments from thread replies, even from known senders
Out-of-Band Verification — For wire transfers or sensitive data, require voice confirmation through known phone numbers

What to Do If You Suspect Thread Hijacking

Don't reply to the suspicious email — This confirms to the attacker that the address is active
Start a new email thread — Use the known email address from your contacts, not the one in the suspicious thread
Call the sender — Use a known phone number, not one from the suspicious email
Report immediately — Alert your IT security team and the original account owner if their account may be compromised
Check the email headers — Look for anomalies in the Received fields and authentication results

Critical: If you've already acted on a suspicious reply-chain email (clicked a link, entered credentials, or sent money), treat it as a security incident immediately. Change your passwords, enable 2FA, and contact your bank if financial information was involved.

Prevention: Protecting Your Organization

The best defense against reply-chain phishing is a layered approach:

Technical Controls

Implement strict DMARC policies to prevent domain spoofing
Use email security solutions that analyze conversation context
Enable MFA on all email accounts—compromised credentials are the entry point
Deploy endpoint detection to catch malware that steals email credentials

Process Controls

Require voice verification for any changes to payment instructions
Implement a "cooling-off period" for wire transfers over a certain threshold
Mandate that new vendors be verified through official channels before first payment
Create explicit channels for financial requests separate from general email

Human Controls

Train employees specifically on thread hijacking techniques
Encourage a "trust but verify" culture for unusual requests
Run simulated reply-chain phishing exercises
Reward employees who catch and report suspicious thread activity

The Future of Conversation-Based Attacks

As AI tools become more sophisticated, we expect to see reply-chain phishing evolve in concerning ways:

AI-Generated Context — Attackers using AI to craft replies that perfectly match the tone and content of months-long conversations
Deepfake Voice Integration — Combining compromised email threads with AI-generated voice calls for "verification"
Cross-Platform Thread Hijacking — Moving hijacked conversations from email to Slack, Teams, or WhatsApp for added legitimacy

Stay Protected

Reply-chain phishing represents the evolution of social engineering—attacks that don't just impersonate people, but infiltrate their relationships and contexts. The key to defense isn't just technology, but cultivating a healthy skepticism even in seemingly familiar conversations.

Remember: In the world of email security, context is no longer king—verification is.

check@isthismailsafe.com

Forward any suspicious emails to us, and we'll analyze them for signs of thread hijacking, spoofing attempts, and other advanced threats. Our algorithms check sender authentication, conversation patterns, and known attack signatures.