What Is Thread Hijacking and How Does It Reach Your Inbox

A reply lands in your inbox from a colleague or vendor you have been emailing for weeks. The subject line matches, the thread history is real, and the sender address checks out. Inside that reply, though, is a malicious attachment, a fraudulent payment instruction, or a credential-harvesting link.

That is thread hijacking. An email attack that abuses trust already built inside legitimate conversations. Because it uses real accounts, real threads, and real relationships, both people and email defenses may struggle to spot it. For security teams, understanding how thread hijacking works and where controls can help is essential.

Key Takeaways

• Thread hijacking starts with account compromise. Attackers gain access to a legitimate mailbox, then insert malicious content into existing email conversations, which allows authentication checks to pass.
• It defeats both humans and automated tools. Existing thread context lowers suspicion, while legitimate sending infrastructure can satisfy standard filtering checks.
• The technique persists across malware families. Multiple malware families have used thread hijacking as a delivery method, and the technique has continued after major disruptions.
• Traditional email gateways often struggle with it. Many inspection engines evaluate messages in isolation, with limited context about what is normal within a specific sender relationship.
• Detection relies on context. Identifying thread hijacking requires correlation across identity signals, session and device signals, and behavioral signals over time.

How Thread Hijacking Differs from Standard Phishing

Thread hijacking differs from standard phishing because the attacker replies from a real compromised mailbox inside a legitimate conversation.

Rather than crafting a new message from a spoofed or lookalike domain, the attacker operates inside an existing exchange where trust has already been established. That distinction changes what defenders need to look for. A few differences matter most:

• Compromised Mailbox: The attacker controls a real mailbox rather than a spoofed address. MITRE ATT&CK classifies the core technique under MITRE T1534.
• Inherited Trust: The attacker benefits from trust the legitimate account holder already established through normal business communication.
• Lower Friction: As the Krebs report has documented, thread hijacking campaigns often avoid the obvious urgency that exposes many phishing attempts.

The Thread Hijacking Attack Chain

Thread hijacking follows a repeatable sequence from mailbox access to malicious replies and continued access.

Compromise the Account

The first step is gaining control of a legitimate mailbox.

MITRE ATT&CK documents several paths to access, including credential phishing, purchased stolen credentials, brute-forced passwords from breach dumps, and exploitation of unpatched mail server vulnerabilities. Stolen credentials remain widely available on underground markets, which lowers the barrier to entry for many threat actors.

Another documented method is adversary-in-the-middle (AiTM) phishing, which can steal credentials and session information that support continued mailbox access.

Collect and Select Threads

Once inside the mailbox, attackers choose conversations that can make a malicious reply look routine.

Some malware families have automated this step by harvesting stored email content from infected machines to support reply-chain activity at scale. That harvesting supports volume, but the attacker still has to choose where to insert the message. In practice, thread selection often centers on conversations tied to active business processes.

Common targets include:

• Financial Threads: Conversations tied to invoices, wire transfers, or payment approvals.
• Vendor Threads: Exchanges with suppliers or external partners where a request may seem expected.
• Active Workflows: Recently active discussions where a reply appears timely.

Attackers tend to select threads that already involve business transactions, since that context helps the malicious reply blend into the exchange.

Insert the Payload

The attacker replies inside the chosen thread with content that fits the business context.

The malicious reply can take several forms:

• Malicious Attachments: Password-protected ZIP files, ISO images, or PDF documents that redirect to malicious download links.
• Financial Fraud Requests: A text-based request to change payment details or wire instructions.
• Credential Links: A link that directs the recipient to a convincing login page.

Because the reply sits inside a real conversation with real participants, it can appear consistent with the thread even when the payload is malicious.

Maintain Persistence

Many thread hijacking campaigns continue because attackers preserve access and hide visible signs of compromise.

Attackers routinely create inbox rules that redirect matching emails, mark them as read, or stop further processing. Those rules can help an attacker intercept replies without the legitimate user noticing, allowing them to continue monitoring conversations and insert additional fraudulent messages when the timing fits.

Thread Hijacking Variants Security Teams Should Know

Thread hijacking appears in several variants, and each changes the attacker's objective and the defender's visibility.

• Malware Delivery via Hijacked Thread: IcedID, Qakbot, and Emotet campaigns inserted malicious files into ongoing conversations, with payload formats shifting over time.
• Financial Fraud via Mid-Conversation Insert: The attacker monitors a thread discussing a pending payment, then inserts new banking details at the moment of transaction.
• Vendor Email Compromise (VEC): A compromised vendor account hijacks threads with the vendor's customers for invoice fraud or payment redirection.
• Multi-Persona Thread Hijacking: Multiple attacker-controlled personas reply to one another within the same thread, creating the appearance of an ongoing multi-party conversation.
• AiTM-Enabled Thread Hijacking: Session theft through AiTM phishing can support long-running mailbox surveillance.
• Internal Lateral Phishing via Thread Hijack: The compromised account sends hijacked thread replies to colleagues within the same organization.
• Exchange Server Exploitation Variant: Attackers exploit vulnerabilities in on-premises Exchange servers to access stored email threads directly.

Why Thread Hijacking Bypasses Traditional Email Defenses

Thread hijacking often evades conventional email security because the message source is legitimate even when the account is not.

When an attacker sends from a compromised account, authentication checks pass because the email originates from authorized infrastructure. Standard email authentication protocols like SPF, DKIM, and DMARC verify the domain rather than whether the human sender is still legitimate.

Other factors make detection harder:

• Trusted Sending History: A compromised account carries the reputation of its legitimate owner.
• Low-Signal Content: A fraudulent payment request may contain no malware, no attachment, and no link.
• Limited Context: A message can appear coherent because it sits inside a real conversation.

Traditional email gateways (SEGs) often evaluate each message independently, applying the same rule set regardless of sender history, communication patterns, or conversational context. Without relationship-level context, many filters have limited evidence that the message is unusual.

How Thread Hijacking Plays Out in the Wild

Real-world campaigns show that thread hijacking remains a durable tactic across fraud and malware operations.

This is not a narrow edge case. According to the FBI IC3, business email compromise (BEC) losses totaled approximately $2.77 billion in 2024, and thread hijacking is one delivery mechanism behind those losses.

Qakbot and Emotet campaigns illustrate how broadly the tactic has been used:

• Qakbot: Qakbot campaigns exfiltrated locally stored emails from infected endpoints and used that content to craft replies within existing threads.
• Emotet: A CISA advisory describes Emotet operations that harvested email content from infected machines and used it to build convincing replies within existing threads.
• Follow-On Risk: Ransomware deployment has been observed following initial Qakbot execution on a compressed timeline, underscoring the urgency of early detection.

Together, these examples show why thread hijacking remains relevant even as specific malware operations are disrupted.

Detecting and Mitigating Thread Hijacking Attacks

Defending against thread hijacking works best when controls address account access, post-compromise behavior, and high-risk business workflows.

• Prevent Account Compromise: Because thread hijacking depends on mailbox access, stronger identity controls can reduce the attack surface. Phishing-resistant MFA is a strong starting point, especially for higher-risk functions such as executives, finance, HR, and accounts payable. Organizations should also consider limiting legacy authentication protocols and monitoring for compromised credentials in external breach data.
• Detect Post-Compromise Activity: Detection efforts should focus on internal email sequences from recently compromised accounts and related account activity. In practice, useful indicators can include identity signals, session and device signals, behavioral signals, and unusual thread activity. When a thread hijack is suspected, security teams should suspend the compromised account, revoke active sessions and OAuth tokens, audit inbox rules, notify recipients in the affected thread, and assess possible lateral movement.
• Harden Financial Processes: Process controls remain important when attackers abuse legitimate email threads. Out-of-band verification using a previously known phone number for any payment-instruction change or wire request reduces risk, along with dual approval for higher-risk financial transactions.
• Train for Thread-Specific Indicators: Thread hijacking-specific training can focus on suspicious changes inside routine conversations, including payment-detail changes introduced mid-thread, mismatched Reply-To information, and requests to move the conversation elsewhere.

Why Behavioral Context Changes the Detection Equation

Behavioral context changes the detection equation because thread hijacking turns a suspicious-message problem into a suspicious-behavior problem.

When the sender is legitimate, the domain is trusted, and the content references a real workflow, static checks may show little that stands out. Effective detection requires per-sender behavioral models maintained over time, with emphasis on observable patterns such as workflow cadences, vendor interaction patterns, recipient behavior, timing, and engagement flows. Key capabilities to look for include:

• Sender Behavior Modeling: Tracking how each sender typically communicates, including message timing, tone, and recipient patterns.
• Conversation-Level Analysis: Evaluating new replies against the established context of a thread rather than treating each message in isolation.
• Identity and Session Correlation: Connecting email activity to login behavior and device signals to flag when a legitimate account may be operating under unauthorized control.

Thread hijacking exploits trust that already exists. Layering identity controls, behavioral detection, and process safeguards limits what an attacker can do even after gaining access.