Thread Hijacking: the financial fraud hidden in legitimate email conversations
Discover how thread hijacking attacks use legitimate email conversations to manipulate payments, change financial instructions, and deceive finance teams.
Thread Hijacking: the financial fraud hidden in legitimate email conversations
Not all fraudulent emails arrive with obvious mistakes, suspicious attachments, or strange links.
In many cases, the attack begins in a much more subtle way: inside an email conversation that already exists, with people who already know each other, in a context that appears legitimate.
This is where Thread Hijacking comes in.
In this type of attack, the criminal compromises an email account or impersonates a trusted identity and enters a real conversation to introduce a fraudulent instruction. This could be a change in bank details, a “corrected” invoice, an urgent payment request, or a false transfer confirmation.
The problem is simple: when fraud appears inside a legitimate thread, the victim lowers their guard.
What is Thread Hijacking?
Thread Hijacking is a technique in which attackers insert themselves into a legitimate email conversation to manipulate its direction.
Instead of sending a new and isolated email, criminals take advantage of the history of a real conversation. This can happen after they compromise a mailbox, steal credentials, or create a domain that looks very similar to the original domain.
From there, they reply within the same conversation or recreate the thread with enough context to appear legitimate.
How does this attack work?
A thread hijacking attack usually follows several stages.
1. Initial access to the email account
The attacker first gains access to a legitimate account. This can happen through phishing, credential theft, infostealers, or password reuse.
Once inside the account, the criminal can observe conversations, identify suppliers, clients, pending payments, and relevant contacts.
2. Conversation monitoring
Before taking action, the attacker may spend some time analysing the mailbox history.
They look for conversations with financial value, such as:
- outstanding payments;
- pending invoices;
- contract changes;
- supplier contacts;
- communications between finance teams;
- internal approvals.
This context allows them to create a much more convincing message than a traditional phishing email.
3. Insertion into the thread
After identifying an opportunity, the attacker replies within the conversation or creates a response that appears to continue the same email exchange.
The message may include phrases such as:
- “Please find attached the updated invoice with the correct details.”
- “Please use this account for the payment.”
- “There has been a change in our bank details.”
- “Can you process this today?”
These messages are dangerous because they do not appear out of nowhere. They appear in the middle of a conversation that already had trust.
4. Payment manipulation
The final objective is almost always financial.
The attacker tries to convince the victim to:
- pay a fake invoice;
- change bank details;
- send proof of payment;
- speed up a transfer;
- ignore internal procedures;
- continue the conversation outside normal channels.
In more advanced attacks, criminals may also use forwarding rules, delete messages, or hide replies to make detection harder. Recent BEC investigations point to signs such as newly created inbox rules, unexpected forwarding, messages marked as read without user action, and emails sent or deleted without explanation as common indicators of account compromise.
Why is Thread Hijacking so effective?
Thread hijacking is effective because it exploits three factors: trust, context, and urgency.
In a traditional phishing email, the victim may become suspicious because they do not know the sender or because the message feels out of context.
But in a legitimate thread, the scenario is different.
The victim sees familiar names, real history, a familiar subject line, and apparently normal language. This makes the attack harder to detect, especially for teams that deal daily with payments, invoices, and approvals.
In addition, many of these attacks do not rely on malicious links or attachments. This means they can bypass traditional controls that only look for dangerous files, suspicious URLs, or known signatures.
Practical example
Imagine a company exchanging emails with a supplier about an outstanding invoice.
The conversation is legitimate. The supplier exists. The invoice also exists.
But the supplier's email account has been compromised. The attacker enters the conversation and sends a reply such as:
Supplier reply
Hello,
We noticed that the previous invoice had outdated bank details. Please use the
details below to pay this invoice.
Thank you.
To the finance team, the message looks normal. It is in the same thread, comes from a known contact, and refers to a real invoice.
But the IBAN belongs to the attacker.
This is the critical point: in thread hijacking, fraud does not rely only on deceiving the victim with a fake identity. It relies on manipulating a relationship of trust that already existed.
Warning signs
Even when the email appears legitimate, there are signs that should raise suspicion.
- Change in bank details: Any change to an IBAN, bank account, or payment method should be treated as a risk event.
- Unusual urgency: Requests such as “process today”, “this is confidential”, or “do not involve anyone else” are common signs of social engineering.
- Subtle change in tone: The email may come from a known contact, but with different wording, unusual mistakes, or a level of pressure that feels out of character.
- New CC address or different Reply-To: In some cases, the attacker changes the reply address or adds external contacts to control the communication.
- Request to bypass the normal process: Any attempt to avoid approvals, confirmation calls, or internal validations should be considered suspicious.
- Deleted messages or forwarding rules: Email rules created without authorisation, messages marked as read, or automatic forwarding may indicate that the account has been compromised.
How to protect your company
Prevention should combine technology, processes, and training.
1. Validate financial changes through another channel
Changes to IBANs, bank details, or payment instructions should never be approved by email alone.
Validation should be done through a previously known channel, such as a phone number already registered, and not through contact details provided in the suspicious email itself.
2. Implement dual approval
High-value payments, supplier changes, and bank account updates should require approval from more than one person.
This control reduces the impact of the pressure and urgency created by the attacker.
3. Monitor email rules and forwarding
Security teams should monitor new mailbox rules, forwarding changes, and anomalous activity in user accounts.
This is especially important in Microsoft 365 and Google Workspace environments.
4. Use phishing-resistant authentication
MFA is important, but it is not always enough. Modern phishing campaigns can steal sessions or tokens when authentication is not phishing-resistant. Microsoft has warned about campaigns that use adversary-in-the-middle techniques to capture credentials and authentication tokens.
Whenever possible, companies should move to stronger methods, such as passkeys, security keys, or device-based authentication.
5. Detect behavioural anomalies
Traditional email security solutions can fail when the message comes from a legitimate account or does not contain malicious links.
That is why it is important to analyse behaviour: who communicates with whom, what types of requests are normal, which changes are unusual, and which messages deviate from the organisation’s usual patterns.
6. Train finance and operational teams
Training should go beyond “do not click suspicious links”.
Teams need to recognise scenarios such as:
- IBAN changes;
- corrected invoices;
- urgent requests;
- compromised suppliers;
- manipulated real conversations;
- pressure to ignore internal processes.
Why is this attack a financial risk?
Thread hijacking is dangerous because it directly attacks a company’s trust-based processes.
It does not only try to steal a password. It tries to turn a legitimate conversation into a fraudulent financial authorisation.
For Finance, Procurement, HR, and Operations teams, this means that any email related to payments should be assessed more carefully, even when it comes from a known contact.
Trust in the sender is no longer enough.
It is necessary to validate the context, the behaviour, and the request.
Conclusion
Phishing has evolved. Today, many attacks no longer arrive as poorly written messages or generic campaigns. They arrive inside real conversations, with genuine context and financially plausible requests.
Thread Hijacking shows that financial email fraud is no longer just a problem of malicious links. It is a problem of manipulated trust.
To reduce risk, companies need to combine human validation, robust financial processes, and intelligent detection of anomalous behaviour.
Because when an attacker manages to enter a legitimate conversation, the question is no longer just:"Is this email fake?"
The question becomes: "Does this request make sense within the company's normal process?"