Phishing & Social Engineering
What Is Thread Hijacking?
Thread hijacking is a cyberattack technique in which an adversary inserts malicious messages into existing, legitimate email conversations to deliver malware, steal credentials, or redirect payments while exploiting the established trust of the ongoing thread.
Thread hijacking is a cyberattack technique in which an adversary inserts malicious messages into existing, legitimate email conversations to deliver malware, steal credentials, or redirect payments while exploiting the established trust of the ongoing thread.
How does thread hijacking work?
Thread hijacking operates through two primary methods, each with distinct mechanics and risk profiles. In internal thread hijacking, an attacker compromises a participant's email account via phishing, credential stuffing, or malware exploitation (such as ProxyLogon on Exchange servers). Once inside, the attacker monitors conversations to identify high-value threads—discussions involving financial transactions, vendor negotiations, pending payments, or sensitive approvals. This reconnaissance phase can last days, weeks, or even months as the attacker builds an understanding of which conversations will prove most valuable.
The attacker then establishes a persistence mechanism designed to hide their activity from the legitimate account owner. This typically involves creating hidden mailbox rules—often named with single characters like "." to avoid user notice—that automatically mark incoming messages as read, stop processing, and move them to archive folders. These rules ensure the legitimate account owner remains unaware of the compromise while the attacker positions themselves within active conversations. When the moment is right, the attacker crafts a malicious reply containing a weaponized attachment, malicious link, or fraudulent payment instructions. Because the reply appears to originate from the trusted participant with full email thread history visible, recipients are far more likely to trust and act on the message than they would on a standalone email from an unknown sender.
In external thread hijacking, the attacker bypasses account compromise entirely by stealing email data through malware like Emotet or by purchasing stolen mailbox contents from dark web marketplaces. Using this harvested data, the attacker spoofs the original sender's address and crafts replies to the stolen thread from external infrastructure. Palo Alto Networks Unit 42 documented an Emotet case where the entire attack chain—from initial infection to email exfiltration to delivery of a hijacked reply—completed in approximately 1 hour and 51 minutes (Palo Alto Networks Unit 42, 2020). This speed suggests automated processes handling multiple stages. While external hijacking can operate at scale across multiple organizations by leveraging bulk collections of stolen emails, it leaves more forensic traces—authentication failures, header inconsistencies, unusual IP patterns—that security teams may detect.
How does thread hijacking differ from lateral phishing?
Dimension | Thread Hijacking | Lateral Phishing | Clone Phishing | Spear Phishing |
|---|---|---|---|---|
Email Context | Replies within existing conversation with history | New email from compromised trusted account | Copy of a known legitimate email | New email tailored to target |
Trust Mechanism | Ongoing conversation context | Known sender identity | Familiar email content | Personalized relevance |
Requires Account Compromise | Often (internal method only; external method uses stolen data) | Yes, always | Not necessarily | No |
Can Operate at Scale | Yes (external method using stolen emails) | Medium scale | Low to medium scale | Low scale |
Detection Difficulty | Very high—embedded in trusted thread | Very high—from legitimate account | High—mimics real email | High—personalized |
Response Rate | Up to 80% (Kaspersky, 2024) | Not publicly specified | Variable | Approximately 50% higher than bulk phishing (IBM, date unknown) |
Ideal for | Delivering malware to high-value targets; financial fraud in established relationships | Credential harvesting from employees of a compromised organization | Resending updated malicious content in familiar format | Targeted espionage or CEO fraud |
Neither approach is universally better. Thread hijacking's strength lies in exploiting existing context; lateral phishing's strength is its source credibility from a known internal account.
Why has thread hijacking gained traction?
Thread hijacking has grown significantly because it achieves much higher response rates than traditional phishing—up to 80% according to Kaspersky (2024)—by leveraging the recipient's existing relationship with the sender. Conversation hijacking increased 70% between 2022 and 2023, rising from 0.3% to 0.5% of all social engineering attacks according to Barracuda Networks (2024), analyzing 69 million attacks across 4.5 million mailboxes. While the percentage appears modest, these attacks are resource-intensive and yield disproportionately large payouts. Emotet, the malware that pioneered thread hijacking at scale, incorporated the technique in 8.5% of its infection attempts in April 2019, escalating to nearly 25% within one week (Palo Alto Networks Unit 42, 2020). Following the 2021 Emotet takedown, law enforcement released a list of approximately 1.3 million compromised email accounts that had been weaponized for thread hijacking and other operations (Europol/Dutch Police, 2021).
However, the attack's resource requirements—either compromising an account or acquiring stolen email data—limit its scalability. Most sophisticated threat actors prioritize thread hijacking only for high-value targets where the payoff justifies the setup cost.
What are the limitations of thread hijacking?
Thread hijacking has several practical constraints. First, the attack is resource-intensive: attackers must either compromise an email account directly or obtain stolen email data, making broad-scale campaigns expensive. Second, timing sensitivity is critical—replies to old or concluded threads raise suspicion, forcing attackers to respond only to active, recent conversations. Third, behavioral anomaly detection can identify when a compromised account exhibits unusual activity patterns: logins from new geographic locations, creation of suspicious mailbox rules, replies to aged threads, or atypical sending frequency. Darktrace (2024) demonstrated that automated account disabling can occur within 24 hours of detection.
Fourth, external thread hijacking leaves detectable forensic traces. Spoofed replies from external infrastructure may fail SPF or DKIM authentication checks, and careful header inspection can reveal the deception. Fifth, out-of-band verification neutralizes the attack entirely—a phone call to verify an unexpected request defeats thread hijacking. Finally, the attack requires recent, relevant conversations with actionable content; purely informational threads offer limited exploitation value.
How can organizations defend against thread hijacking?
Deploy behavioral detection solutions that establish baseline activity patterns and flag anomalies such as new login locations, unusual mailbox rule creation, or replies to old threads. Implement phishing-resistant multi-factor authentication (FIDO2/WebAuthn) on all email accounts to prevent the initial compromise that enables internal thread hijacking. Enable strict email authentication via SPF, DKIM, and DMARC to detect external thread hijacking where attackers spoof the sender's domain (though this provides no protection against hijacking from legitimately compromised accounts).
Monitor mailbox audit logs for suspicious mailbox rule creation—particularly rules with single-character names, rules that move all incoming mail, or rules created shortly after unusual login events. Train users that phishing can arrive as replies within trusted conversations, not only as new unsolicited emails, and emphasize out-of-band verification for any unexpected requests involving payments, credentials, or sensitive data. Maintain current patch levels on email servers, especially Microsoft Exchange, to prevent exploitation of vulnerabilities like ProxyLogon that enable mass email data theft. Deploy endpoint detection and response (EDR) tools to detect and block malware like Emotet, Qakbot, and IcedID that enable email exfiltration.
FAQs
Q: How does thread hijacking differ from regular phishing?
Regular phishing sends new, unsolicited emails from spoofed or unknown senders. Thread hijacking inserts malicious messages into existing email conversations that the recipient already trusts. Because the reply appears within a familiar conversation context with prior message history visible, recipients are far more likely to trust and act on the message. Response rates for thread-hijacked emails can reach 80%, substantially exceeding typical phishing click rates (Kaspersky, 2024; Palo Alto Networks Unit 42, 2020).
Q: What malware families use thread hijacking?
Emotet pioneered thread hijacking at scale, stealing email data from infected hosts to generate spoofed reply-chain emails. Qakbot (Qbot), IcedID, and SquirrelWaffle have all adopted similar techniques. In 2022, Qakbot used email threads stolen during the ProxyLogon Exchange server compromises to target previously uncompromised organizations. The technique became a signature element of major botnet operations (Cisco Talos, 2022; Palo Alto Networks Unit 42, 2020).
Q: How fast can a thread hijacking attack unfold?
Palo Alto Networks Unit 42 documented an Emotet case where the entire attack chain—from initial infection to exfiltration of email data to delivery of a thread-hijacked email—completed in approximately 1 hour and 51 minutes. The monitoring and response phases were remarkably rapid, suggesting automated processes (Palo Alto Networks Unit 42, 2020).
Q: Is thread hijacking increasing?
Yes. Barracuda's 2024 report found that conversation hijacking increased 70% since 2022 (from 0.3% to 0.5% of social engineering attacks). While the percentage seems modest, these attacks are resource-intensive and yield disproportionately large payouts when successful, making them a growing concern for organizations (Barracuda Networks, 2024).
Q: Can email authentication (DMARC) stop thread hijacking?
Partially. DMARC/SPF/DKIM can help detect external thread hijacking where the attacker spoofs the sender's domain from external infrastructure. However, when thread hijacking occurs from a compromised internal account—the attacker is sending from the legitimate account—email authentication provides no protection because the email is genuinely authenticated. Behavioral detection and account security controls are needed to prevent internal thread hijacking (xorlab, 2024; Darktrace, 2024).
