double barrel phishing

Day one: An email from a new vendor asks if you’re the right person to discuss a partnership opportunity. Nothing suspicious. No links. No attachments. You reply confirming your role.

Day three: A follow-up arrives with a “proposal document” attached. You open it without hesitation. You already know this sender.

This is barrel phishing. The first email had one purpose: make you trust the second one.

Barrel phishing (also called double-barrel phishing) splits an attack into two or more messages. The first message is clean. Completely harmless. It passes every security filter because there’s nothing to catch. Its only job is to get you to reply.

Once you do, the attacker has what they need. You’ve mentally filed them as a known contact. The second message, the one carrying the malicious link or attachment, lands in your inbox with built-in credibility. It references your earlier conversation. It feels like a natural next step.

And that’s exactly the problem. Security awareness training teaches people to be suspicious of unsolicited emails. Barrel phishing makes the dangerous email feel solicited.

Standard phishing plays the numbers. Blast out ten thousand emails, hope someone clicks. The emails are generic, often sloppy, and detectable if you know what to look for.

Barrel phishing is a different animal entirely.

The tradeoff is effort versus conversion. Standard phishing is cheap and fast. Barrel phishing takes patience, but it works on people who would never fall for a regular phishing email.

This happens automatically. One innocent exchange, and a sender moves into the “safe” mental folder. Everything they send after that gets less scrutiny. You might catch a cold phishing email on a bad day, but a follow-up from someone you just talked to? That barely registers as a potential threat.

The first barrel phishing email contains no malicious content. Zero. It’s a genuine question. Modern email security scans for payloads, suspicious links, known bad domains. None of that exists in the setup email. By the time the second email arrives, the sender-recipient relationship is established, which makes the follow-up less likely to get flagged too.

You’ve already invested time. You’ve acknowledged a relationship. Ignoring the follow-up feels rude, inconsistent with your prior action. This is textbook consistency bias, and social engineering attacks exploit it constantly.

Legitimate business relationships start this way every day. Initial outreach, confirmation of interest, detailed follow-up with documents attached. Barrel phishing copies the rhythm perfectly.

These are the pretexts attackers use most. Each one follows the same pattern: a reasonable first email, then a weaponized second one.

Email 1: “Hi, I found your company while researching solutions in [industry]. Are you the right person to discuss potential partnership opportunities?”

Email 2: “Thanks for getting back to me. I’ve put together a brief overview of what we’re thinking. See attached.”

This is the most common variant. The first email is so generic that almost anyone would respond to it. That’s the point.

Email 1: “I came across your job posting for [role]. Before applying formally, I wanted to confirm the position is still open and ask a few questions.”

Email 2: “Thanks for the info. I’ve attached my resume and portfolio. Looking forward to discussing further.”

HR teams are especially vulnerable here. They’re used to receiving resumes from strangers. The two-email pattern actually feels more professional than a cold application.

Email 1: “I’m a journalist covering [topic]. Would [executive name] be available for a brief interview about [company’s] approach?”

Email 2: “Great. I’ve prepared some background questions in the attached document. Please review before our call.”

A real journalist would put questions in the email body, not a Word attachment. But in the moment, after you’ve already coordinated with your exec’s calendar, who stops to think about that?

Email 1: “We’re reaching out to companies in [sector] about our new [product/service]. Who handles [function] decisions at your organization?”

Email 2: “Perfect, thanks for the introduction. I’ve put together a custom proposal based on our conversation.”

Notice how the second email says “based on our conversation.” You had one email exchange. That’s not a conversation. But the framing makes it feel like one.

Not every initial outreach is an attack, obviously. But watch for these signals:

• Vague company or personal details that don’t hold up under a quick search
• Generic industry references that could apply to anyone in your sector
• No verifiable phone number, office address, or LinkedIn profile
• The sender’s domain doesn’t match the organization they claim to represent
• The question they’re asking could have been answered by checking your website

• The attachment arrives suspiciously fast for the supposed context
• The file type doesn’t match the content. A “proposal” that’s actually a macro-enabled .docm file? No.
• Urgency appears out of nowhere when the first email was casual
• Links point to domains unrelated to the sender’s organization
• They’re requesting credentials or sensitive information

Stop and ask: does this progression actually make sense?

A real partnership inquiry wouldn’t send detailed documents after one email exchange. A genuine vendor would link to their website, not send executable files. A legitimate journalist sends questions in plain text.

When the second email escalates faster than the relationship warrants, that’s your signal.

Verify before you engage. Before responding to unsolicited outreach, take 30 seconds to check. Does the company exist? Does the email domain match their website? Can you find this person on LinkedIn? That’s usually enough to filter out the fakes.

Keep your guard up regardless of history. One prior email does not make someone trustworthy. Apply the same scrutiny to follow-ups that you’d give a cold contact. This is the single hardest habit to build, and the single most important one.

Verify attachments through a different channel. If someone sends a document, call them at a number you found independently (not one they provided) to confirm they sent it.

Watch for tone shifts. If the urgency, formality, or request type changes noticeably between emails, something is off.

Train specifically on multi-stage attacks. Most phishing simulation programs test employees with single-message threats. That’s not enough. Your people need to understand that prior contact does not equal trust.

Implement attachment sandboxing. Scan attachments in isolated environments before delivery, regardless of sender reputation. Every time.

Use email authentication. DMARC, DKIM, and SPF verify sender domains and make impersonation harder. If you haven’t deployed these, start there.

Build a verification culture. Make it completely normal to verify requests through secondary channels, even from known contacts. If someone feels awkward double-checking, your culture is the vulnerability.

Include barrel phishing in your simulations. Multi-stage test campaigns reveal which employees drop their guard after initial contact. That data is gold for targeted training.

Don’t panic. The first email is almost always clean. But be extremely cautious about anything that follows from this sender. Report the exchange to your security team and don’t open any attachments or click links in subsequent messages.

Disconnect from the network immediately. Report to IT security. Don’t try to fix anything yourself. Document what you clicked and when. Change passwords from a clean device.

Analyze the full email chain to map the attack pattern. Search for similar first-stage emails sent to other employees because the attacker likely cast a wider net. Block the sender domain. Alert staff about the specific pretext used so they can recognize variants. And update your training materials with this real-world scenario, because nothing teaches like a near miss.

Barrel phishing is often combined with spear phishing, where the attacker researches a specific individual before making contact. They tailor the initial outreach based on your role, your company’s recent news, or your LinkedIn activity. Then the follow-up delivers a payload designed specifically for you.

This combination is particularly dangerous for executives and employees with access to financial systems or sensitive data. It’s also how BEC attacks frequently begin.

Barrel phishing exists because security awareness improved. When employees learned to distrust unsolicited emails with links, attackers adapted by making their emails solicited first. Simple as that.

The next evolution is already happening. Expect three-stage attack chains, multi-channel approaches (email followed by a phone call), and AI-generated pretexts that are harder to distinguish from real outreach.

The principle stays the same: trust must be verified, not assumed. Prior interaction is not proof of legitimacy. The best defense is a workforce that understands this instinctively, not just intellectually.

Want to see barrel phishing in action without the risk? Try our free Double Barrel Phishing exercise and test whether you’d catch a multi-stage attack before it caught you.