Back in the early 2000s, spam emails were easy to detect.

That’s because all that ever showed up in your inbox were emails from a smattering of friends and a handful of business contacts – such as Ivan from your preferred cargo services provider. Every now and again you’d maybe get the odd email from some prince needing your help in recovering his fortune. See how THINC AI filtering technology quickly shuts down threats.

Had my grandmother been using the internet at the time, even she could have spotted spam from a mile away.

Now don’t get me wrong. I’m not exactly nostalgic for those early internet days. As far as I’m concerned, 56k modems, MSN messenger and POP3 email accounts firmly belong in the past.

But at least email security was simpler then.

The rise of malware for profit or espionage over the last two decades has led to malicious actors changing their tactics at lightning speed. Not only are they now able to evade automated algorithms that filter email for spam; they even know how to avoid raising your suspicion.

And email users are always the last line of defense because they’re the ones who ultimately click on these malicious emails and open their attachments. Suddenly, that conversation with Ivan from Cargo Inc. isn’t as safe as it used to be.


Let’s look at a typical email thread you might have with Ivan and how it can now be hijacked without you even realizing it.


Just an ordinary exchange that took place last April. A few months later, you get another reply from Ivan on this thread.


Thinking that maybe you forgot to pay a bill, you open the attachment and… Oops.

No, Ivan hasn’t suddenly decided to seek revenge because you changed your order three times at the last minute back in April. At some point in the last few months, Ivan’s email got infected and a malicious actor is replying to real conversations Ivan had in the past. And this actor is throwing in malware just for fun. Unbeknownst to poor Ivan, he’s about to have a lot of angry contacts on his hands.

This is essentially email thread hijacking. And they can be very hard to detect for a couple of key reasons.

1. The malicious actor’s responses are fairly generic and innocuous.

2. The remainder of the thread looks authentic. Because it is.

What makes email conversation thread hijacking even more insidious is that it can fool automated spam filters and humans alike. Even when recipients don’t open these emails, it can create all sorts of confusion and misunderstandings for both the recipient and the supposed sender.

Email thread hijacking – or email spoofing – happens more often than you might think. We have received countless calls from IT teams over the years asking why a former employee who left their company 6 months ago suddenly sent an email using the company’s domain.

If you’d like to learn more about these types of email attacks, we presented a talk on how to thwart email conversation thread hijacking at Virus Bulletin 2019.

There are many authentication mechanisms that can help reduce email spoofing. These include SPF records, which prevent connection spoofing and DMARC records, which prevent spoofing of your domain. If you don’t have these protections on your domain, we suggest you enable them or ask us about them..

In some cases, the malicious actor will use a random sending domain to bypass these extra protections. At this point, there is no proposed mechanism to protect sending names. The best advice we can give you is to think twice (or three times) before clicking on any link or opening any attachment in an email you weren’t expecting. Of course, having best-in-class email protection also helps!