Thread Hijacking
An attack where an adversary compromises a mailbox and replies to existing email threads to appear legitimate to recipients.
Definition
Thread hijacking is a social engineering attack in which a threat actor gains access to a compromised email account or intercepts an email conversation, then inserts malicious messages into an existing email thread. Because the reply appears to continue a legitimate conversation — often with familiar participants and subject lines — recipients are far more likely to trust and act on the message.
Why It Matters
Traditional email security filters rely heavily on sender reputation, domain checks, and subject-line analysis. Thread hijacking bypasses many of these controls because the attacker is operating within a real thread with a genuine history. The attack is used to deliver malware, harvest credentials, or facilitate business email compromise (BEC) fraud with high success rates, as recipients lower their guard when they recognize the conversation.
How It Works
The attacker first compromises a mailbox — through credential theft, phishing, or account takeover — or gains access via a man-in-the-mailbox position. They then monitor existing conversations and time a reply when a response is expected. The injected email carries the full original thread history, preserving In-Reply-To and References headers to pass threading checks in email clients. Payloads are typically embedded as links or attachments within the reply.
DFIR Platform
Phishing Email Checker
The DFIR Lab Phishing Email Checker analyzes In-Reply-To, References, and Message-ID headers to detect conversation hijacking. It compares the sending infrastructure — including originating IP, mail server, and authentication results — against the prior thread's infrastructure pattern to flag inconsistencies that indicate a hijacked reply chain
View DocumentationRelated Concepts
Try these concepts in practice
Free tier with 100 credits/month. No credit card needed.