Reply to spoofing email gets answer from spoofer. How?

Please consider this scenario, all while using Gmail’s web client in an upto date and secure browser:
Someone receives a legit email containing important information and, after a few hours, a spoofed email containing the same, but with some vital information altered. Gmail sais that it can’t verify the identity(SPF failure), but said person unattentively replies to the bad email.

Now, here is the part I can’t figure:
A reply arrives from the spoofer(again, with failed SPF), even if the victim’s reply was directed towards the correct email address(there was no reply-to in the bad email and the return path was set to the proper address). How can bad actors achieve this and where do you think the breach in confidence is most likely, on the victim’s side or with the owners of the legit email on the other side. So far as I can tell, the pc used is clean.

Thank you!