The phishers start by compromising a Gmail account, then they rifle through the emails the user has recently received.
After finding one with an attachment, they create an image (screenshot) of it and include it in a reply to the sender. They use the same or similar subject line for the email, to invoke recognition and automatic trust.