Email Thread Hijacking

Timeline: The Cat and Mouse

2017 ← Attack emerges → 2020 ← Defenses develop → 2023 ← Still effective → Present

The Evolution

Phase	Period	What Happened
ATTACK	2017	Emotet pioneers automated thread hijacking at scale
PEAK	2019	Technique spreads; harvests email → replies to threads
	2020-2022	QakBot, IcedID adopt; primary method for banking trojans
RESPONSE	2020	Conversation anomaly detection in SEGs
	2021	Enhanced attachment analysis in reply chains
	2022	Behavioral analytics detect abnormal sending patterns
CURRENT	2023+	Remains highly effective; trust inheritance hard to defeat

Key Events with Sources

Date	Event	Significance	Source
2017	Emotet thread hijacking	First malware to automate reply-based delivery at scale	Proofpoint
2019	Technique goes mainstream	Multiple malware families adopt thread hijacking	Cofense
2020	Emotet takedown (temporary)	International operation disrupts, but technique survives	Europol
2021	Emotet returns	Rebuilt with enhanced thread hijacking	CISA
2023	QakBot uses technique	Thread hijacking remains primary initial access vector	Microsoft

Overview

Thread hijacking takes email attacks to the next level: instead of sending a new phishing email, attackers compromise a mailbox and reply to existing conversations. The victim receives what appears to be a continuation of a legitimate discussion, complete with correct context, real participants, and natural conversation flow.

The Attack

How It Works

1. Attacker compromises victim1@company.com (via phishing, credential stuffing, etc.)
2. Attacker reads victim1's inbox, finds conversation with victim2
3. Attacker replies to the thread from victim1's account:

   -------- Original Thread --------
   victim2: "Here are the quarterly figures"
   victim1: "Thanks, I'll review them"

   -------- Hijacked Reply --------
   victim1 (attacker): "One more document to review"
   Attachment: Q4-Addendum.docm (malware)

4. victim2 receives reply in existing thread
5. victim2 trusts it because:
   - It's from someone they know
   - It's in an existing conversation
   - The context makes sense

Why It’s So Effective

Trust Inheritance:

Existing thread = established relationship
User already engaged with this sender
Previous messages provide legitimacy

Context Hijacking:

Attacker reads thread to craft relevant reply
Malicious content fits the conversation topic
“One more document” feels natural

Security Bypass:

From address is legitimate (compromised account)
All authentication passes
No cold-call suspicion

Real-World Examples

Emotet Thread Hijacking:

Original: Discussion about invoice payment
Hijacked Reply: "Updated invoice attached"
Attachment: Invoice-UPDATE.doc (macro malware)

QakBot Campaign:

Original: Project status discussion
Hijacked Reply: "See attached for additional details"
Attachment: ProjectStatus.zip (password in email body)

BEC Thread Hijacking:

Original: Vendor payment discussion
Hijacked Reply: "Please use these updated wire details"
(No attachment, just wire fraud)

Automation at Scale

Emotet pioneered automated thread hijacking:

Malware harvests victim’s email and contacts
Sends harvested data to C2
C2 generates contextual replies
Replies sent through legitimate compromised account
New infections repeat the cycle

This created massive scale with personalized attacks.

Raw Email Headers (Thread Hijacking)

The magic is in In-Reply-To and References—these place the email in an existing thread:

Return-Path: <victim1@company.com>
Received: from mail.company.com (mail.company.com [192.0.2.10])
        by mx.target.com (Postfix) with ESMTPS id HIJACK01
        for <victim2@target.com>; Thu, 23 Jan 2025 08:15:45 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=company.com; s=selector1;
        h=from:to:subject:date:in-reply-to:references;
        bh=hijacked123...;
        b=signature456...
Authentication-Results: mx.target.com;
        dkim=pass header.d=company.com;
        spf=pass smtp.mailfrom=victim1@company.com;
        dmarc=pass (p=REJECT) header.from=company.com
From: "Alice Johnson" <victim1@company.com>
To: victim2@target.com
Subject: Re: Q4 Financial Review - Additional Document
Date: Thu, 23 Jan 2025 08:15:40 -0500
Message-ID: <hijacked-msg-001@company.com>
In-Reply-To: <original-thread-msg-005@target.com>
References: <original-thread-msg-001@target.com>
           <original-thread-msg-002@company.com>
           <original-thread-msg-003@target.com>
           <original-thread-msg-004@company.com>
           <original-thread-msg-005@target.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="boundary123"

--boundary123
Content-Type: text/plain; charset=UTF-8

Hi Bob,

One more document for the Q4 review. Please see attached.

Thanks,
Alice

--boundary123
Content-Type: application/vnd.ms-word.document.macroEnabled.12
Content-Disposition: attachment; filename="Q4-Addendum.docm"
Content-Transfer-Encoding: base64

[Base64-encoded malware]
--boundary123--

Key observations:

dkim=pass, spf=pass, dmarc=pass — Sent from compromised legitimate account
In-Reply-To: — References the last message in the thread
References: — Contains full thread history, ensuring proper threading
Subject: Re: — Matches existing conversation
Email client displays this inside the existing thread
Recipient sees context from previous legitimate messages

Defenses

Compromised Account Detection

Identify when legitimate accounts behave abnormally:

Sudden increase in outbound volume
Sending to unusual recipients
Attachments when user rarely sends them
Login from unusual locations before sending

Thread Anomaly Analysis

SEGs can analyze:

Time gap between messages (days/weeks unusual)
Topic drift (sudden change in conversation)
Attachment introduction in text-only thread
Language pattern changes

User Behavior Analytics

Compare current behavior to baseline:

Does this user normally send .docm files?
Do they usually email this recipient?
Is this sending time normal for them?

Attachment Sandboxing

Extra scrutiny for:

Attachments in reply chains
Password-protected archives
Macro-enabled documents
Links in long-dormant threads

Attacker Adaptation

Better Context Matching

More sophisticated thread hijacking:

Read more of conversation history
Match writing style of compromised user
Use relevant terminology from thread
Time messages appropriately

Delayed Hijacking

Compromise account → wait weeks → hijack threads

Avoids correlation with initial compromise
Account appears “normal” during waiting period
Newer threads available to hijack

Non-Malware Payloads

Not just attachments:

Links to credential harvesting
Wire transfer requests
Sensitive data requests
Gift card scams

Current State

Status: Active

Thread hijacking remains one of the most effective email attack techniques:

Why It Works	Defensive Challenges
Inherits trust	Legitimate sender/account
Context-aware	Hard to distinguish from normal
Authentication passes	No spoofing to detect
User engaged	Lower suspicion threshold

Detection Guidance

Indicators

Look for:

Long-dormant threads suddenly active
Attachments appearing in reply chains
Requests for credentials/payment in replies
Language/tone shifts within threads

SIEM Queries

email.is_reply = true
AND email.thread_age_days > 7
AND email.has_attachment = true
AND attachment.type IN ("docm", "xlsm", "zip", "iso")

User Training

Train users to:

Be suspicious of unexpected attachments in old threads
Verify requests even from known contacts
Question sudden urgency in dormant conversations
Report threads that don’t “feel right”

Account Compromise Response

When thread hijacking is detected:

Disable compromised account immediately
Reset credentials
Revoke active sessions
Check for mail forwarding rules
Review recently sent messages
Notify recipients of hijacked messages
Check for lateral movement

Defense	Introduced	Impact
Conversation Anomaly Detection	2020	SEGs analyze thread context for suspicious additions
Attachment Analysis in Replies	2021	Extra scrutiny for attachments in reply chains
Compromised Account Detection	2022	Behavioral analytics identify abnormal sending patterns