Reply-Chain Attack
An attack in which criminals insert malicious content into an ongoing legitimate email thread to lend their message credibility.
Also known as: thread injection attack, conversation hijacking
Last reviewed: 10 June 2026
A reply-chain attack involves an attacker injecting a fraudulent message into the middle of a real email conversation. To achieve this, they may compromise one of the participants' email accounts, forward the thread from a lookalike domain, or use a compromised corporate inbox. The malicious message appears with the full context of prior legitimate exchanges above it.
Because the recipient sees the familiar conversation history, they are far less suspicious than they would be of a cold email. The attacker's message typically introduces a malicious attachment, requests a payment change, or asks the victim to click a link — framed as a natural continuation of the thread.
Organisations should train staff to verify out-of-band before acting on any financial instruction received by email, even when it appears within a recognised conversation.
Examples
- An attacker who has compromised a supplier's inbox responds within a real invoice thread with updated bank details for the upcoming payment.
- Malware is distributed inside a compromised email chain; the infected message appears to come from a known colleague mid-thread.