Thread Hijacking: Phishing From Inside Trusted Emails

Elena Vasquez··7 min read
An employee carefully reading an email thread on an office computer

Most phishing advice trains people to be suspicious of strangers: unknown senders, unexpected requests, messages out of the blue. Thread hijacking weaponizes the opposite instinct. The malicious message arrives inside a real conversation you are already part of, with a familiar subject line, the genuine reply history quoted below, and a sender you know and trust. By the time the link or attachment appears, every "unknown sender" alarm has already been silenced.

It is one of the most effective email attack techniques in circulation, and it has been refined over years by some of the most prolific malware operations on record. Understanding how it works, and why it slips past trained employees, is the first step to defending against it.

What Thread Hijacking Actually Is

Thread hijacking, also called conversation hijacking or a reply-chain attack, is a technique in which an attacker inserts a malicious message into a legitimate, ongoing email conversation. Rather than spoofing a sender from outside, the attacker typically operates from a genuinely compromised mailbox, replying within threads that already exist in that account.

The mechanics usually follow a pattern:

  1. An attacker compromises a mailbox, often through an earlier phishing email, malware, or stolen credentials.
  2. They harvest existing email threads from that account, real conversations with real history.
  3. They reply inside one of those threads, keeping the subject line and quoted history intact, and add a malicious link or attachment.
  4. Because the message comes from a trusted contact and continues a conversation the recipient recognizes, it is opened and acted on.

Palo Alto Networks' Unit 42 documented this technique in detail in its case study on Emotet thread hijacking, and incident responders at Kroll have tracked the same pattern in QakBot cases.

Why It Defeats Trained Employees

Thread hijacking is dangerous precisely because it neutralizes the heuristics most awareness programs teach. Consider how it sidesteps the classic red flags:

  • Unknown sender? No, the sender is a real colleague, client, or vendor the recipient has emailed before.
  • Unexpected message? No, it continues a conversation already in progress.
  • Generic greeting? No, the thread is personalized by definition, it is your actual exchange.
  • Poor grammar or odd phrasing? Often minimal, since the attacker can mirror the tone of the genuine history above.

The technique has a long and effective pedigree. It was popularized by Emotet, which harvested email content from infected machines to build convincing replies, and by QakBot (Qbot), which reused stolen threads across campaigns. In some cases QakBot operators reused threads harvested from mailboxes compromised months earlier, demonstrating just how durable stolen conversation history can be. The payoff is measurable: because the messages came from real accounts with full context, open and engagement rates ran far higher than for cold phishing, with some campaigns reporting that nearly 45% of targeted recipients opened the malicious attachments.

What an Attack Looks Like in Practice

To see why this technique is so effective, walk through a realistic example. A supplier's accounts-payable clerk has their mailbox compromised after entering credentials on a phishing page weeks earlier. The attacker quietly reads the mailbox and finds an active thread about an outstanding invoice between the clerk and a customer's finance team.

The attacker replies inside that exact thread. The subject line is unchanged, the entire prior exchange is quoted below, and the message comes from the clerk's real address. It reads: "Apologies for the delay, here's the updated invoice with our new bank details attached." Attached is a document, or a link to one, carrying either a payment-redirection request or malware.

From the recipient's perspective, every signal is reassuring. They recognize the sender, they remember the conversation, and the request, an updated invoice, is exactly what they were expecting. Nothing in their phishing training tells them to distrust a colleague continuing a conversation they started. That is precisely the gap the attacker is counting on. The only anomaly is the thing that does not belong: an unexpected attachment and a change to payment details, which a single out-of-band phone call would expose in seconds.

Thread hijacking exploits the single most powerful signal in email, trust, and turns it into the delivery mechanism. The defense is not to trust less, but to verify the one thing that does not belong: an unexpected link or attachment.

How to Spot a Hijacked Thread

Because the sender and history are genuine, the tell is rarely in the envelope, it is in the ask. Train employees to focus on the anomaly inside an otherwise familiar message:

  • An unexpected link or attachment in a known thread. A conversation that was purely text suddenly includes a file to open or a link to "the document we discussed" that no one actually discussed.
  • A subtle shift in tone or urgency. A normally relaxed contact suddenly pushes you to open something quickly.
  • A reply that does not quite fit. The new message is generic or vague compared to the specific, detailed history quoted beneath it.
  • Password-protected archives. A ZIP file with the password helpfully included in the email body is a long-standing hallmark of these campaigns.
  • Reply-to or display-name oddities. Occasionally the underlying address differs from the genuine participant, worth a glance even when the thread looks right.

The single most reliable defense is verification out of band. If a known contact sends an unexpected file or link, confirm it through a different channel, a phone call, a chat message, or a fresh email you compose yourself, before clicking. A ten-second check defeats an attack that bypasses every visual cue.

Building the Instinct With Simulation and Training

You cannot teach "distrust unknown senders" your way out of an attack that comes from known senders. Defending against thread hijacking requires a different reflex: pause on an unexpected link or attachment, even from someone you trust, and verify. That instinct is built through practice, not memos.

Realistic phishing simulation is the most effective way to develop it. A simulation that mimics a reply within a plausible internal thread tests whether employees apply scrutiny when the usual red flags are absent, exactly the gap thread hijacking exploits. empowsec's phishing simulation platform lets you run these scenarios safely, and its teachable-moment debrief explains, right after a click, why a familiar-looking message was actually a trap and what to check next time.

Reporting matters just as much. Because hijacked threads often arrive in waves from a single compromised account, fast employee reporting gives security teams the early signal they need to contain a campaign. empowsec's report-phishing add-ons for Gmail and Google Workspace and for Outlook put a one-click report button directly in the inbox, so a suspicious reply becomes an alert rather than a click.

Key Takeaways

  • Thread hijacking inserts a malicious reply into a real email conversation, with a genuine subject, history, and trusted sender, usually from a compromised mailbox.
  • It defeats trained employees by neutralizing the "unknown sender" instinct and the other classic phishing red flags.
  • Refined by Emotet and QakBot, the technique drove far higher engagement than cold phishing, with some campaigns seeing roughly 45% of recipients open malicious attachments.
  • The tell is the anomaly inside the message: an unexpected link or attachment, a tone shift, or a password-protected archive.
  • Defend with out-of-band verification, realistic phishing simulation with teachable-moment debriefs, and one-click reporting to catch campaigns early.
Share: