Reply-To Header Hijacking

Timeline: The Cat and Mouse

2005 ← Attack emerges → 2015 ← Defenses improve → 2019 ← Still used → Present

The Evolution

Key Events with Sources

Overview

The Reply-To header tells email clients where to send replies, separate from the From address. Attackers use legitimate-looking From addresses while setting Reply-To to their own mailbox. When victims reply, their responses go directly to the attacker.

The Attack

Email Header Structure

From: ceo@company.com
Reply-To: ceo.urgent@gmail.com     ← Attacker's address
To: employee@company.com
Subject: Quick Request

Can you help me with something?

When the employee hits “Reply,” their email client automatically addresses it to ceo.urgent@gmail.com, not ceo@company.com.

Why Reply-To Exists

Legitimate uses:

• Mailing lists (reply goes to list, not individual)
• No-reply addresses (replies go to support)
• Shared mailboxes (send from individual, reply to team)

Attackers exploit this legitimate feature for malicious purposes.

Attack Scenarios

BEC Initial Contact:

From: "CEO Name" <no-reply@company.com>
Reply-To: ceo.private@gmail.com
Subject: Are you available?

I need a quick favor. Reply when you can.

The From address might even be legitimate (if attacker compromised a no-reply account or spoofed it), but replies go to the attacker.

Credential Harvesting:

From: support@bigbank.com
Reply-To: support.bigbank@attacker-domain.com
Subject: Account Verification Needed

Please reply with your account number to verify your identity.

Vendor Invoice Fraud:

From: accounts@vendor.com
Reply-To: accounts.vendor@gmail.com
Subject: Updated Banking Details

Our banking details have changed. Please reply to confirm receipt.

Raw Email Headers (Reply-To Hijacking)

The key is the Reply-To header—which is never authenticated:

Return-Path: <bounce@attacker-server.com>
Received: from mail.attacker-server.com (mail.attacker-server.com [198.51.100.25])
        by mx.company.com (Postfix) with ESMTPS id 789XYZ
        for <employee@company.com>; Wed, 22 Jan 2025 10:45:33 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=attacker-server.com; s=default;
        h=from:reply-to:to:subject:date;
        bh=abc123...;
        b=def456...
Authentication-Results: mx.company.com;
        dkim=pass header.d=attacker-server.com;
        spf=pass smtp.mailfrom=bounce@attacker-server.com;
        dmarc=fail (p=NONE) header.from=company.com
From: "CEO Name" <ceo@company.com>
Reply-To: ceo.urgent.2025@gmail.com
To: employee@company.com
Subject: Quick Question - Confidential
Date: Wed, 22 Jan 2025 10:45:30 -0500
Message-ID: <msg-001@attacker-server.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Are you at your desk? I need help with something urgent.

Key observations:

• From: header claims ceo@company.com (spoofed)
• Reply-To: redirects replies to attacker’s Gmail
• dmarc=fail — But p=NONE means no enforcement!
• When user clicks Reply, email goes to ceo.urgent.2025@gmail.com
• The Reply-To header is never validated by SPF/DKIM/DMARC

Combined with Other Techniques

Reply-To hijacking often combines with:

• Display name abuse: Fake name, real-ish From, attacker Reply-To
• Compromised accounts: Legitimate From that passes auth, attacker Reply-To
• Thread hijacking: Reply to real conversation but change Reply-To

How Defenses Work

Email Client Warnings

Modern clients may show:

⚠️ Reply will be sent to: ceo.urgent@gmail.com
   (different from sender: ceo@company.com)

Limitation: Many clients don’t show this, especially mobile.

SEG Analysis

Security gateways check:

• Reply-To domain vs From domain
• Reply-To to known freemail providers
• Reply-To containing brand names in local part
• Reply-To to recently registered domains

DMARC’s Indirect Help

DMARC doesn’t validate Reply-To, but:

• Prevents spoofing the From address
• If attacker must use their own From, the deception is harder
• Combined with Reply-To analysis, easier to detect

Attacker Adaptation

Clever Reply-To Addresses

From: ceo@company.com
Reply-To: ceo.company@gmail.com         ← Looks related
Reply-To: ceo@company-secure.com        ← Cousin domain
Reply-To: ceo@c0mpany.com               ← Typosquat

No Reply-To, Use Compromised Account

If Reply-To triggers warnings, attackers compromise actual accounts:

• Phish employee credentials
• Send from their account directly
• No Reply-To mismatch to detect

Multi-Stage Attacks

1. Initial email has no Reply-To (establishes rapport)
2. Follow-up introduces Reply-To (victim already trusts thread)

Current State

Status: Active

Reply-To hijacking remains effective, especially in targeted attacks:

Detection Guidance

Email Rules

Flag emails where:

reply_to.domain != from.domain
AND from.domain IN (protected_domains)
AND reply_to.domain IN (freemail_providers OR recently_registered)

Things to Alert On

• Reply-To to Gmail/Yahoo when From is corporate
• Reply-To containing brand names (paypal.support@gmail.com)
• Reply-To to domains < 30 days old
• Reply-To domain similar to From domain (typosquat)

User Training

Teach users to:

• Check who they’re actually replying to
• Hover over addresses before sending
• Be suspicious of requests to reply to “alternate” addresses
• Verify unusual requests through known contact channels

Post-Incident Analysis

If a user falls for Reply-To hijacking:

• Check for forwarding rules added to mailbox
• Review what information was sent
• Alert if credentials or financial data disclosed
• Block the Reply-To domain