Email Security Blog

Hijacked Email Reply Chains Are Crippling Companies Like IKEA

How many times a day do you hit “reply” and answer an email? Plenty, right? It’s how we get projects completed and questions answered. It’s also how companies are falling prey to a clever phishing campaign that can ultimately lead to a ransomware attack. It’s known as an email reply chain cyberattack and home furnishings retailer IKEA is just one of its many victims.

What It Looks Like

The reason why email reply chain cyberattacks are so successful is that they go against what most of us have been taught about recognizing phishing threats. A main rule of thumb for catching phishing scams is pausing at anything that looks suspicious. Maybe it’s a subject line that appears to be phishy. Perhaps you’re being asked to click on a link to complete a task you’re not aware of. Or, it could be that the email address is one you’ve never seen before. Regardless, these examples are all out of the ordinary and tend to set off our internal cyber alarm.

Email reply chain emails are just the opposite. They are familiar. Very familiar. Why? Because the hacker behind these clever phishing threats doesn’t need to design an original phishing email or purchase a phishing hack template off of the dark web. Instead, these blackhat hackers use an existing email – one you’ve seen, sent, or perhaps responded to in the past – to con you into downloading malicious malware.

How It Works

At first glance, an email reply chain phishing attack may appear to be an Account Takeover (ATO), simply because the email is being sent from a familiar employee, vendor, or colleague. However, with email reply chain threats, cybercriminals go beyond invading one individual email account and breaking into the company’s server. Once accessed, the hacker steals existing email threads, poses as one of the participants, and replies to all those on the distribution list with some ploy that prompts the recipients to download a dangerous file. That file is almost always a weaponized document that, once enabled, installs malicious malware that will ultimately end with a ransomware attack.

In the case of IKEA, the download was a seemingly innocent “” file that contained a weaponized Excel document.1 Once the employee clicked on an “Enable Editing” button, Trojan virus files from a remote site were downloaded. Eventually, these infections will compromise IKEA’s Microsoft Exchange server and position the company for a ransomware attack.

But wait, it gets worse. As bad as email reply chain phishing attacks are for the main company being attacked, the distribution lists on the hijacked email accounts go beyond internal email accounts and often include the email addresses of company partners and vendors. This allows the malicious threats to spread to other companies as well.

Choosing Prevention Over Cure

Email replay chain phishing attacks are deceptively tricky because they come from a trusted sender and reference work that you are doing together. That familiar sender, on an email that’s already been circulated, is why so many of these destructive phishing attacks make their way through Secure Email Gateways (SEGs). Thankfully, preventative measures can be taken.

INKY provides the most comprehensive malware and email phishing protection available. It sits downstream from Secure Email Gateways (SEGs) and catches threats that were previously missed. INKY scans every sent and delivered email automatically and flags malicious emails, protecting your organization, vendors, and partners from complex threats, including email reply chain attacks. INKY’s intelligent machine learning algorithms identify abnormalities in emails, even if the threat has never been seen before. From there, INKY’s Banner warns employees of threats, while protecting and training them at the same time. INKY even works on mobile devices. And, if you’re worried about a time-consuming installation process, you’ll appreciate INKY’s speedy execution. Most customers are up and running in under an hour – even with remote employees.

Choose to prevent costly phishing attacks, rather than recover from them. All it takes is INKY.

Schedule a demo or inquire today.


INKY™ is the most effective hero in the war against phishing. An award-winning cloud-based email security solution, INKY™ prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY™ is the smartest investment you can make in the security of your organization. INKY™ is a proud winner of the SINET 16 Innovation Award and was a finalist in the RSAC Innovation Sandbox Competition. Learn more about INKY™ or request an online demonstration today.