Conversation Hijacking
What is Conversation Hijacking?
Conversation HijackingAn email attack in which a criminal injects malicious replies into an existing trusted email thread to deliver malware or fraudulent instructions.
In conversation hijacking, the attacker first compromises a mailbox or steals an inbox via credential theft, ATO, or a partner breach. They then read existing threads and reply within them, inheriting the trust, subject, and signature of the legitimate sender. The injected message can carry malware (Emotet famously seeded Trickbot via hijacked threads), a payment-redirection request typical of business email compromise, or a follow-up with a credential-harvesting link. Because the reply appears inside an existing exchange, victims and traditional filters lower their guard. Defences include DMARC, MFA on mail accounts, anomaly detection on reply patterns, banner labels for external senders, and out-of-band confirmation for any payment changes.
● Examples
- 01
Emotet 2018-2021: malicious replies to ongoing email threads delivered weaponised Office documents.
- 02
BEC actors hijack a vendor's mailbox and inject a fake updated-banking-details reply mid-thread.
● Frequently asked questions
What is Conversation Hijacking?
An email attack in which a criminal injects malicious replies into an existing trusted email thread to deliver malware or fraudulent instructions. It belongs to the Attacks & Threats category of cybersecurity.
What does Conversation Hijacking mean?
An email attack in which a criminal injects malicious replies into an existing trusted email thread to deliver malware or fraudulent instructions.
How does Conversation Hijacking work?
In conversation hijacking, the attacker first compromises a mailbox or steals an inbox via credential theft, ATO, or a partner breach. They then read existing threads and reply within them, inheriting the trust, subject, and signature of the legitimate sender. The injected message can carry malware (Emotet famously seeded Trickbot via hijacked threads), a payment-redirection request typical of business email compromise, or a follow-up with a credential-harvesting link. Because the reply appears inside an existing exchange, victims and traditional filters lower their guard. Defences include DMARC, MFA on mail accounts, anomaly detection on reply patterns, banner labels for external senders, and out-of-band confirmation for any payment changes.
How do you defend against Conversation Hijacking?
Defences for Conversation Hijacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Conversation Hijacking?
Common alternative names include: Email thread hijacking, Reply-chain attack.
● Related terms
- attacks№ 135
Business Email Compromise
A targeted fraud in which an attacker impersonates or takes over a corporate mailbox to trick an employee into wiring money, changing payment details, or sending sensitive data.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 140
Callback Phishing
A two-stage phishing attack in which a benign-looking email persuades the victim to call a phone number, where a human operator then walks them into installing malware.
- attacks№ 010
Account Takeover (ATO)
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.
- attacks№ 1065
Social Engineering
The psychological manipulation of people into performing actions or disclosing confidential information that benefits an attacker.
- attacks№ 375
Email Spoofing
Forging email headers so a message appears to come from a trusted sender, typically to enable phishing, fraud, or malware delivery.