This is when attacker uses a compromised but legitimate company account to launch an internal phishing attack. The trusted source account makes it much easier to manipulate more employees and compromise more accounts.