Behind the Screens: Real-World Examples of Thread Hijacking and Multi-Persona Attacks

In the classic heist movie “Ocean’s Eleven,” George Clooney’s character leads his ensemble of conpeople to infiltrate a high-security vault. To accomplish this, they disguise themselves as maintenance workers, which allows them to blend in with the staff, steal millions of dollars from the casino vault, and then slip away unnoticed—blending into the crowds of Las Vegas before disappearing into the night. Unfortunately, movies often mimic real life, and threat actors deploy a similar tactic when attempting to infiltrate target accounts digitally. By either imitating or stealing the identity of victims, threat actors can put themselves into a position to successfully infiltrate a target account.

In a recent article from Brian Krebs, published on KrebsOnSecurity, he explained how a Pennsylvania news outlet was the target of a phishing campaign in which the email came from a prominent businessman within the community. While the email did come from a legitimate account with a prior relationship to the recipient, it’s unlikely that it was on purpose. Instead, the account was likely compromised and then used to send malicious emails to people in his contact lists.

Attackers often employ thread hijacking, also known as email thread hijacking or email thread manipulation, to infiltrate an existing email conversation between legitimate parties and insert themselves into the dialogue. By impersonating one of the participants or fabricating a completely new identity, the attacker will attempt to deceive the others involved. In doing so, the attacker will attempt to spread malware, obtain sensitive information, or redirect financial transactions to fraudulent accounts. Adjacent to email thread hijacking and even more sophisticated, attackers are now also executing multi-persona hijacking by assuming multiple identities or personas to build trust with targets—often across multiple communication channels.

Abnormal Security observes these attacks often across our customer base, especially as they continue to grow in popularity. Let’s dive into a few real-world examples.

In the first example, we have a new email thread sent from the compromised account of the VP of Finance at a mergers and acquisitions firm to his partners at an investment banking firm. In the email, the sender states that a new accountant has joined the company and should be granted full signatory authority, including “the ability to authorize and verify any withdrawal, distribution, wire transfer and money movement request following his new role.”

The message is sent to the main contact at the investment firm. However, the attacker also cc’s four additional members, as well as two colleagues from the sender organization, in addition to the new accountant being introduced. At first glance, all seems normal, but further review shows that the two colleges are using a lookalike domain registered just one day before the initial message was sent. In addition, the "new accountant" does not have an enterprise email at all but is instead cc’ed as “mark@lantzcpas[.]net,” which is an email address likely owned by the initial attacker. By cc’ing these colleagues, or at least the people who appear to be colleagues, the attacker gains legitimacy with the intended recipient, who is unlikely to notice the small detail (changing the order of two vowels) within the lookalike domain.

If this email were to reach the investment firm, the recipient would’ve likely provided “Mark Lantz” with full access to the account, including the ability to make withdrawals and schedule wire transfers. By doing so, the attacker would have the ability to immediately remove any money or wait patiently until a significant deposit was made, which he could then pilfer.

The example shown above is most similar to the one explained by Brian Krebs, though focused more on direct financial gains than on credential phishing. In that attack, the threat actor simply reviewed the account contact list and sent a new email thread to start the attack—relying on information within the account to appear believable. While dangerous, the attack shown below is even more concerning, as it involves a hijacked thread that occurs in the middle of a conversation.

In this email, we see an original message sent from a Group Billing Coordinator of an event venue to the event coordinator, showing the final invoice. This email is likely sent from the true owner of the account, as it shows no signs of being malicious.

Eight days later, the recipient responds to the initial email stating that the revised invoice is still incorrect but that she can submit payment once the invoice is corrected.

In a normal conversation, we would expect that the next email includes a corrected invoice… which it does. Only this email has been sent not from Francoise’s legitimate account but instead from a lookalike domain: the threat actor has changed an “i” in the domain name to an “l” and has successfully hijacked the conversation. This third email comes from the newly registered lookalike domain but includes both the prior conversation history and continues to cc Francoise’s colleagues, though all emails now use the same lookalike domain. In this last email, the attacker also asks if the payment can be processed via ACH—a common way for threat actors to quickly receive their money before they are discovered.

What makes this email attack both unique and extremely scary is that there is no way for the average employee to realize that they are no longer communicating with their known vendor but are instead preparing to send money to a cybercriminal. The attacker is extremely sophisticated in his methodology, taking advantage of an ongoing conversation about payments, including the conversation history in the initial attack, and cc’ing the full team (via lookalike domains) to increase legitimacy. At first glance, this email does not appear to be malicious, but Abnormal recognizes that the sender domain does not match any domains found in body links, that the lookalike domains appeared midway through the conversation, and that the email contains a suspicious financial request.

As end users become more aware of traditional social engineering tactics like gift card fraud, threat actors are becoming more sophisticated in their scams—as evidenced by these two emails. At Abnormal, we saw a twofold increase in socially engineered attacks last year, and we expect that this trend will continue to rise as attackers more successfully employ generative AI technology.

By compromising legitimate accounts and using large language models to understand ongoing conversations and generate highlight contextually relevant responses, attackers will be able to seamlessly blend into ongoing email conversations better than ever before. These generative AI tools can analyze the content and tone of previous messages within the thread to craft responses that appear authentic and indistinguishable from legitimate participants—making it far easier for even novice cybercriminals to manipulate conversations and deceive recipients. Making matters worse, this same technology can also automate the process of crafting and sending responses, streamlining the process and allowing attackers to scale these attacks by targeting multiple victims simultaneously.

Traditional threat intelligence methods are often ineffective at detecting these sophisticated attacks. Relying heavily on historical data and known patterns of malicious activity can be useful in the event that there are known indicators of compromise (IOCs), such as malware signatures or IP addresses associated with known threats. However, as shown here, these attacks often employ novel techniques that lack historical data or existing IOCs to reference. In contrast, they are extremely targeted and contain few malicious indicators—making them almost impossible to detect by traditional tools.

To combat these attacks, Abnormal employs behavioral AI that understands human behavior—analyzing patterns of behavior in real time to detect anomalies and potential risks. Central to the Abnormal detection approach is its AI engine, which meticulously evaluates the content and context of communications to ascertain abnormality and assess risk levels. This involves examining not only the individual email but also the broader context of interactions within the communication thread, enabling Abnormal to detect and block thread hijacking attacks even when other tools fail.

By understanding the known normal behavior within an organization and across the entire vendor ecosystem, Abnormal can detect anomalous communication patterns and detect attacks no matter when (or where) they originate. In doing so, the Abnormal platform keeps these attacks from reaching end users, preventing them from unwittingly engaging with attackers and protecting organizations from costly mistakes.

Unfortunately, threat actors are becoming better at their craft each and every day, and this will not be the last we see of this technique. To stay ahead of these threats, it’s vital to implement a behavior AI solution that can detect these and other emerging threats before your organization becomes the next victim of a well-executed thread hijacking attack.

Discover how Abnormal detects these and other sophisticated threats by requesting a demo today.