How the attack unfolds
The phishers start by compromising a Gmail account, then they rifle through the emails the user has recently received.After finding one with an attachment, they create an image (screenshot) of it and include it in a reply to the sender. They use the same or similar subject line for the email, to invoke recognition and automatic trust.
“You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again,” WordFence CEO Mark Maunder warns.
Full Article