Thread Hijacking
An attack where a fraudster inserts themselves into an existing legitimate email conversation to lend credibility to a fraudulent request.
Also known as: conversation hijacking, email thread injection, reply-chain attack
Last reviewed: 1 June 2026
Thread hijacking (also known as conversation hijacking) occurs when an attacker gains access to, or replays, a real email exchange between two parties and injects a fraudulent message that appears to be a natural continuation of that conversation. Because the email displays genuine history — real names, real subject lines, real prior messages — recipients are far less suspicious than they would be with a cold contact.
The attack is most commonly seen in business email compromise: after compromising an employee's email account or obtaining leaked correspondence, the attacker waits for an opportune moment in a payment or contract discussion and interjects a request to change bank details or redirect a wire transfer. The victim believes they are still talking to their known contact.
Prevention requires multi-channel verification: any change to payment details received by email — even within a trusted conversation — should be confirmed via an independent phone call to a known number. Email alone should never be the sole authorisation channel for financial transactions.
Examples
- A supplier's email account is compromised; the attacker monitors ongoing invoice discussions and sends a 'bank details change' email at the moment of payment.