Giant home furnishing retailer Ikea recently faced a significant phishing attack in which hackers compromised legitimate corporate email accounts and replied to messages containing malicious documents.

This so-called reply-chain email attack was described as an "ongoing" attack by an internal Ikea message, which said: "The attack can come via email from someone that you work with, from any external organization, and as a reply to an already ongoing conversation."

In a statement to the Washington Examiner from Nov. 30, Ikea said it was aware of the attack and was taking the matter seriously.

"While we have no indication that our customer's data or business partners' data have been compromised, we continue to monitor to ensure that our internal defense mechanisms are sufficient," the statement said. "Actions have been taken to prevent damages, and a full-scale investigation is ongoing."

Keeping customer, employee, and business partner data secure is Ikea's "highest priority," the company added.

Cybersecurity experts said these attacks could be difficult for email users to detect because they come from trusted email senders.

"If you get an email from someone you know or that seems to continue an ongoing conversation, you are probably inclined to treat it as legitimate," said Saryu Nayyar, CEO of cybersecurity vendor Gurucul. "This attack is particularly insidious in that it seemingly continues a pattern of normal use."

Nayyar called on organizations to educate employees frequently about attacks and use machine learning and analytics-based cybersecurity tools to detect unusual activities.

This attack is an example of cybercriminals getting more sophisticated, said Nicolas Joffre, the America manager of the Threat Intelligence and Response Center at Vade, which offers artificial intelligence-based email security.

In a typical phishing attack, an employee receives an email that "comes without context," making it reasonably easy to spot, he told the Washington Examiner. But a reply-chain attack is "particularly effective because the usual warning indicators are missing."

With this type of attack, the hacker has gained access to an email chain and then adds a malicious attachment or link, he said.

"They're at an advantage here because trust has already been established between the recipients," Joffre said. "Attackers take their time watching conversation threads awaiting opportunities. They also make sure they keep the same tone of voice so the recipient doesn't get suspicious when they read the email."

The goal for the attackers may be to gain remote control of an infected computer, send spam from an infected computer, investigate the company's local network, or steal sensitive data, he said.

Reply-chain attacks can erode trust in a company's communication tools, added Monica Eaton-Cardone, co-founder and chief operating officer of Chargebacks911, a cybersecurity company focused on protecting online transactions.

"These kinds of attacks can be absolutely devastating because they destabilize your organization during a time of crisis," she told the Washington Examiner. "Suddenly, you don't think you can safely communicate with your teammates. You no longer trust your emails and digital messages."

When companies lack a way to communicate safely, they can't develop a strategy to counter the attack, she added. "You're dead in the water."

She noted that these types of attacks have been particularly effective during the coronavirus pandemic, with most communication happening over the internet instead of in person.

Companies should go beyond training and test their employees on cybersecurity hygiene, she said.

"Cybersecurity is a never-ending game of cat and mouse, and when the cat's tactics change, you have to respond — or you'll get eaten alive," she added. "The cybersecurity profession is always evolving, always changing — mostly because the hackers and cyber thieves are constantly adopting new tactics."