New Threat Alert: The Email Reply Chain Attack

When it comes to cyber attacks, 2021 could be summed up in one word: Brutal. 

Several major holidays will be remembered as much for the music, food and fun as they will for the multi-million dollar shake downs against corporations like Colonial Pipeline (Mother’s Day weekend) and international meat processor, JBS (Memorial Day weekend).

And just when we thought things were quieting down, hackers stunned again with a slick new twist on the old school phishing technique.

We’re talking about the Email Reply Chain attack.

In case you missed it, this attack took IKEA by storm over Black Friday weekend, and its smooth and stealthy execution was nothing short of jaw-dropping. This one could be a doozy in 2022, so we’re giving you everything you need to know to protect your small business in the year ahead and beyond.

Let’s get into it!

Even the least-trained eye is catching on to the standard phishing email, so hackers had to get crafty. Instead of spoofing email addresses and using the typical run-of-the-mill phishing strategies (the fakeness of which are increasingly obvious), they snuck in through IKEA’s mail server, took over legitimate email accounts, and started sending out malicious links. If you’re thinking, “This had to have worked like a charm…”, you’re right. It worked like a charm.

Here’s Why It Works

Quite simple in its technical complexity, this attack worked well because of these key factors:

  1. The email accounts were legitimate company accounts.
  2. The emails came directly from known employees.
  3. The links were sent out in group threads where there was already ongoing conversation, making it less likely to notice something fishy.
  4. The hackers wrote/communicated like the employees whose accounts were hacked, so the phishing messages seemed to come from those people.

When your work bestie Sally responds to your group thread with links to a couple of memes that are ‘so hilarious you just have to see them NOW!!‘, would you question it? Not likely.

This attack is so sophisticated, dangerous, and effective because it’s coming from someone you know, trust, and communicate with regularly.

How To Spot It

This is where things can get tricky. When IKEA looked deeper into the incident, they discovered that while the emails contained some of the common misspellings and grammatical errors that are standard for phishing emails, the links had one thing in common: They all ended in 7-digit numbers.

Click here and scroll down to see one of the actual emails, so you know what to look for.

How To Stay Safe

If something seems off, assume that it is. Reach out to the owner of the email account in question via text, Teams, Slack, etc. to verify whether or not they sent the email.

IMPORTANT!! Please don’t respond to the email in question! Remember, the account has been hacked; they’ll simply say it’s legit to get you to click the links.

If they didn’t send the message, you’ll need to act fast. Below are some immediate and long-term actions you can take to protect your small business from this attack.


  • Delete the email immediately (from your inbox AND trash folders)!!!
  • Notify other members of the group thread via alternative communication methods (see above) to let them know what’s going on and direct them to delete the email(s).
  • Don’t open any more messages from that account or respond to the group thread.
  • Notify your security team to investigate and make sure your systems and data haven’t been compromised. (Note: If you don’t have a security team in place, contact us – this is our specialty)

Long Term

  • Get familiar with the characteristics of a phishing attack, if you haven’t already.
  • Enable/enforce two-factor authentication so that if your passwords get compromised, your accounts are still protected.
  • Stay on top of your website updates and run them asap. Waiting creates vulnerabilities that make it easy for hackers to slip through the cracks and into your systems.
  • Watch out for abnormalities in your mail server. That’s the bullseye for the Email Reply Chain attack.

The Bottom Line

Looking ahead to 2022, it’s important to be informed about this attack and make room in your security program to train your team, arm your systems, and develop a strategy around protecting your data from this sneaky attack. It was super effective on a large corporation, so it has the potential to become the attack-of-choice against small businesses in the future.

As always, if you need additional support or don’t know where to start, contact us. We’ve got your back.

More Like This

DMARC: Secure Your Domain with Email Authentication

In a world where email communication is essential but also vulnerable to cyber threats like phishing and fraud, DMARC emerges as a crucial tool for safeguarding email domains. DMARC, or Domain-based Message Authentication, Reporting, and Conformance, acts as a virtual guardian, verifying the authenticity of emails claiming to originate from a domain. By implementing DMARC, domain owners can prevent unauthorized use of their domains and protect recipients from malicious emails.

Read More »

Subscribe to our newsletter for the latest Geek Girl Tech news & updates!

Finally, DIY security for all.

Learn how to keep your business safe by joining the waitlist for our DIY Security offer – coming soon.