RE: Christopher: How a Thread Hijack Rode Salesforce Marketing Cloud Into the Inbox

The email landed in the inbox with the subject line "RE: Christopher." It looked like a reply. It referenced a name. The recipient had a split-second decision: was this a thread they had forgotten about, or something else entirely? The headers said Salesforce Marketing Cloud. The authentication said pass across the board. And the domain behind it had existed for less than a year.

At an enterprise organization in April 2026, a security analyst noticed the message after Themis had already quarantined it. The analyst pulled the headers anyway, and what they found was a case study in how attackers have learned to dress phishing in the same infrastructure that legitimate businesses use to send newsletters, drip campaigns, and product updates.

The Name in the Subject Line

Thread hijacking works because it exploits a cognitive shortcut. When a recipient sees "RE:" in a subject line, their brain categorizes the message as part of an ongoing conversation. It is not new. It is familiar. The Verizon 2024 Data Breach Investigations Report found that pretexting, the technique of fabricating a scenario to engage a target, has doubled since 2022. Thread hijacking is one of the most effective forms of pretexting because it does not require the attacker to invent a scenario from scratch. It implies one already exists.

"RE: Christopher" is deliberately vague. The recipient does not need to know a Christopher. They just need to wonder if they do. In a busy inbox with dozens of threads, that moment of uncertainty is enough to earn an open. And once the email is open, the attacker controls the narrative.

Salesforce Marketing Cloud as a Delivery Platform

The relay headers told the full story. The message was routed through amg20[.]mta[.]exacttarget[.]com, one of Salesforce Marketing Cloud's outbound mail transfer agents. ExactTarget is the infrastructure layer that powers Marketing Cloud's email delivery, and it handles SPF alignment, DKIM signing, and relay routing for every customer on the platform.

The sending domain, stackpilotit[.]com, was registered on June 13, 2025. It was configured as a verified sending domain within Marketing Cloud, which means the platform's authentication mechanisms treated it as a legitimate customer. The Return-Path pointed to bounce[.]s13[.]mc[.]pd25[.]com, a Pardot bounce-handling subdomain. The unsubscribe link pointed to go[.]pardot[.]com. Every piece of email infrastructure that a recipient or a security tool would check pointed to Salesforce.

This is not a vulnerability in Salesforce's platform. It is the intended design working exactly as built, for a customer with malicious intent. The Microsoft Digital Defense Report 2024 documents the growing trend of attackers using legitimate cloud services as delivery infrastructure, precisely because these platforms carry the domain reputation and authentication posture that gateways trust.

See Your Risk: Calculate how many threats your SEG is missing

Authentication: All Green, Still Malicious

SPF passed because Salesforce's sending IPs are included in the domain's SPF record (that is how Marketing Cloud works). DKIM passed because ExactTarget signs outbound mail with the customer domain's key. DMARC passed because both SPF and DKIM aligned with the From header domain. From an authentication standpoint, this email was indistinguishable from a legitimate marketing campaign.

Microsoft's own filters assigned SCL 5 (Spam Confidence Level) and categorized the message as CAT:SPM (spam). That classification means Microsoft recognized something was off, but SCL 5 typically routes to junk, not quarantine. Depending on the organization's transport rules and safe-sender configurations, SCL 5 messages can still reach the inbox.

The gap between "we think this is spam" and "we will not deliver this" is where thread hijack campaigns live. The IBM Cost of a Data Breach 2024 report found that phishing-initiated breaches carry an average cost of $4.88 million. SCL scores and spam categorization are confidence indicators, not enforcement mechanisms.

The Infrastructure Timeline

Domain registration tells its own story. stackpilotit[.]com was created on June 13, 2025, nearly ten months before this email was sent. That is not a domain registered the day before an attack. It was aged deliberately, allowing time to build sending history, configure DNS records, and establish the minimum reputation needed to pass through reputation-based filters.

The MITRE ATT&CK framework documents this as T1585.002 (Establish Accounts: Email Accounts), where threat actors create or configure accounts on third-party services specifically for use in future operations. Combined with T1036.005 (Masquerading: Match Legitimate Name or Location) for the thread-hijack subject line, the campaign follows a textbook infrastructure preparation pattern.

Pardot's unsubscribe infrastructure (go[.]pardot[.]com) added a final layer of legitimacy. Legitimate marketing emails include unsubscribe links as required by CAN-SPAM. The presence of a Pardot unsubscribe link signals to both recipients and email security tools that this is an authorized marketing communication. The attacker did not need to build this trust signal from scratch. The platform provided it automatically.

MITRE ATT&CK Mapping

• T1566.001 (Phishing: Spearphishing Link): Phishing delivery via email with social engineering pretext.
• T1036.005 (Masquerading: Match Legitimate Name or Location): Thread-hijack subject line ("RE: Christopher") fabricating an existing conversation.
• T1585.002 (Establish Accounts: Email Accounts): Purpose-built domain registered months in advance and configured on Salesforce Marketing Cloud.

Indicators of Compromise

When Legitimate Infrastructure Carries Illegitimate Intent

Themis flagged this message through behavioral analysis that evaluated the communication in context, not just its authentication results. The IRONSCALES Adaptive AI identified the thread-hijack pattern (a reply to a conversation that never existed), correlated the new domain with first-time sender signals, and quarantined the message before the recipient could engage.

The challenge with marketing automation as a delivery vector is that it eliminates most of the traditional signals defenders rely on. Authentication passes. Domain reputation is clean. Infrastructure headers point to trusted platforms. According to CISA's guidance on cloud email security, organizations must move beyond perimeter and authentication-based models to behavioral analysis that evaluates whether the content and context of a message match the claimed relationship. The next "RE:" in your inbox might reference a conversation that never happened.