What is Thread Hijacking?

Thread Hijacking Explained

Thread hijacking is an email attack technique where threat actors gain access to a legitimate mailbox, harvest existing email conversations, and reply within those real threads to deliver malicious links, attachments, or fraudulent requests. MITRE ATT&CK documents the technique under T1566 (Phishing), which explicitly names "thread hijacking" as a delivery method.

The defining characteristic is exploitation of pre-existing trust. The malicious message arrives inside a genuine conversation the recipient already recognizes, with a familiar subject line, a known sender, and real conversation history. This makes it significantly harder to detect than a cold phishing email.

How Thread Hijacking Works

The attack follows a consistent pattern across documented campaigns:

• Account compromise. The attacker gains access to a victim's email account through credential theft, brute force, or exploitation of mail server vulnerabilities (ProxyLogon, ProxyShell).
• Email harvesting. The attacker (or automated malware like Emotet) exfiltrates existing email threads from the compromised mailbox, collecting metadata, message bodies, and recipient lists.
• Target selection. High-value conversations are identified: active projects, pending invoices, payment approvals, or HR discussions.
• Reply crafting. The attacker constructs a reply that matches the thread's context and tone, appending a malicious attachment (macro-enabled document, ISO container, password-protected ZIP) or a link to a credential harvesting page.
• Delivery. The reply is sent to the original thread participants, either from the compromised account directly or via spoofed headers from botnet infrastructure.

In Palo Alto Unit 42's documented Emotet case, the entire chain from initial infection to thread-hijacked reply delivery took one hour and 51 minutes.

Why Thread Hijacking Evades Traditional Defenses

Standard email security tools struggle with thread hijacking for two reasons.

First, the sender is often legitimate. When the reply comes from the compromised account itself (as documented in IcedID campaigns targeting Exchange servers), authentication checks (SPF, DKIM, DMARC) all pass. The email originates from authorized infrastructure.

Second, content-based filters miss the context. A document attachment in a reply to an existing invoice discussion looks normal. The same attachment arriving cold from an unknown sender would trigger suspicion. Thread context provides the social proof that bypasses both automated scanning and human judgment.

Emotet, QakBot, and IcedID all weaponized this technique at scale. CISA Advisory AA20-280A warned of Emotet's thread hijacking targeting U.S. state and local governments. QakBot operators harvested email from Exchange servers compromised during the 2021 ProxyLogon wave, reusing stolen threads across multiple attack campaigns months later.

Defending Against Thread Hijacking

Effective defense requires controls that go beyond content scanning:

• Behavioral AI. Baseline normal communication patterns per user and flag deviations: unusual sending times, atypical recipients, sudden attachment types, or shifts in writing style within a thread.
• Compromised account detection. Monitor for suspicious mailbox rules (auto-forwarding, auto-deleting, rules named with single characters), logins from unfamiliar IP addresses or geolocations, and OAuth consent grants that provide persistent access even after password resets.
• MFA on all email accounts. Reduces the initial account compromise that enables the hijack.
• Side-channel verification training. Generic "check the sender" training is insufficient because the sender IS legitimate. Train users to verify unexpected attachments or requests through a separate communication channel, even in familiar threads.

Thread Hijacking Protection from IRONSCALES

IRONSCALES behavioral AI detects thread hijacking by analyzing conversation context and sender behavior, flagging anomalous replies within trusted threads before users interact with the payload.

Related Terms

• Business Email Compromise
• Account Takeover
• Social Engineering
• Spear Phishing
• Credential Harvesting