There are many specific, heightened challenges of spear phishing emails coming from compromised, trusted third parties. Trusted third-party phishing emails usually come from the legitimate sender’s email account, which is under control of a malicious hacker. The challenges of these types of spear phishing emails were discussed previously

But the risks from a compromised, trusted third-party account don’t always go away when the trusted third party gets cleaned up and the hacker is removed. In fact, the threats from a trusted third-party compromise can last for months to years. The related spear phishing attack called a ‘fake forwarded email’ is an example.

This particular type of phish arrives with subject line and message body text belonging to a previous, genuine conversation held between two legitimate parties. The message text is usually a partial or full conversation from a previously discussed thread, which often happened months to years ago. Even though this type of email usually arrives from a new, illegitimate email address, often times, the receiver’s innate familiarity with the conversation thread makes the receiver accidentally miss the new sender’s email address. It’s what the phisher is hoping for and the whole reason for this type of spear phishing attack.

These types of phishing emails will always include a new request for the receiver, to either visit a particular included URL link or open a file attachment. The message to the sender requesting action is usually something simple and short, such as “Here’s that document you requested” or “This link has the invoice you were asking about.” Many times, the action instruction has nothing to do with the included thread. I’ve often been surprised about how disjointed the request is with the original thread, but the phishers are apparently having some success with them or they wouldn’t keep using them.


All the normal anti-phishing defenses, including good and frequent security awareness training, apply. But it’s important to share these types of phishing attacks with everyone so they know about them. It’s also always important to check the sender’s email address, even if the email seems like part of a continuing thread. It’s one thing to educate and discuss and another to test if people really are looking at the sender’s FROM email address when they get sent a recognizable thread. So, test this scenario as part of your regular simulated phishing campaigns. Pick an organizational-wide email thread that got a lot of traffic and back and forth conversation with lots of participants within the company. Then send it from an external, nearly look-a-like email address and see who falls for it. Real spear “phishermen” seem to think it works.

This is also a great chance to see if your best anti-phishing “champions” who hardly ever get tricked by a real or simulated phishing test do as well on a simulated fake forwarded email. For your champions, pick a more focused email thread that they were personally involved in instead of a company-wide thread. You might have to enlist another recipient you know who frequently corresponds with them.

Fake forwarded emails are one of the most popular types of spear phishing. Don’t let a real one be the first time your users are tested.