"Reply-all" suggests that the same mail went to a set of recipients, but doesn't the watermarking strategy require each recipient to have their own unique copy?
The "to" line is just a header and you can put whatever you want. The actual recipient is specified out of band (RCPT TO). This is how "bcc" works.
Likely the To: line is some sort of mailing list in this case. The mailing list watermarks when redelivering to everybody. The To line remains unchanged. A reply-all causes one copy to be leaked (but it might be re-watermarked, depending on configuration...) Edit: A reply further down says it was actually a forward which does seem more likely, but nothing about the original setup is impossible.
But how did recipient A get a personalised copy if the mail with that copy was sent to a list of recipients?
Edit: WP has the Tesla story with the counsel forwarding his copy to everyone in a new mail (presumably trying to be helpful?) So not a case of reply-all disease
Email round one: individually-watermarked copies are delivered to individually-addressed individuals. More elaborate systems might watermark such emails en-route, though that's ... less likely. A and B each wind up with individually-identifying copies of the email.
Email round two: A REPLIES ALL to their individually-watermarked copy of the email, delivering it to ALL employees (or some nontrivially large sample), by which B AND EVERY OTHER RECIPIENT now contains A's watermarked copy.
Email round three: B OR ANY OTHER RECIPIENT OF A's REPLY ALL can now leak A's watermarked copy of the email. Watermarking NO LONGER identifies the leaker.
But in this case recipient B must have already had that one, as they were in the reply all for recipient A. If you sent me a personalized email and send it only to me, then my reply all isn't going to give my personalized version to anyone else but you- and presumably you trust yourself not to be the leak.
Reply-All would not include any other recipient in a standard, personalised mail out - unless the "To" or "Cc" fields were manipulated to give the impression that personalised email A went to everyone equally, but I think that would probably require some custom mailserver tweaks?
Likely the To: line is some sort of mailing list in this case. The mailing list watermarks when redelivering to everybody. The To line remains unchanged. A reply-all causes one copy to be leaked (but it might be re-watermarked, depending on configuration...) Edit: A reply further down says it was actually a forward which does seem more likely, but nothing about the original setup is impossible.