Blog Main Image
May 21, 2026

Conversation Hijacking: When Attackers Hijack a Real Email Thread

The most convincing phishing email is often not a new message at all. It is a reply. Conversation hijacking, sometimes called reply-chain or thread hijacking, sees an attacker insert themselves into a genuine email conversation that is already under way. Everything a cautious recipient checks for looks right, because it is real: the sender, the history, the subject line. The only false note is the request buried in the latest reply.

That authenticity is exactly what makes it so dangerous, and why it slips past filters and well-trained staff alike.

The takeaway: an attacker who has compromised a mailbox, often a supplier’s or a colleague’s, reads the real conversations inside it and then replies within an existing thread to add a malicious link, an attachment, or new bank details. Because the message continues a legitimate exchange, the victim rarely questions it. The defence is to verify unexpected requests out-of-band and to stop mailboxes being hijacked in the first place.

How conversation hijacking works

Diagram of conversation hijacking: a mailbox is compromised, the thread is studied, a reply is injected, and trust does the rest
The attacker does not start a new thread, they slip into an existing one.

It begins with a compromised mailbox, usually taken over through an earlier phishing attack or a stolen password. Rather than blasting out obvious scams, the attacker reads. They learn how the account holder writes, who they deal with, which deals and invoices are live, and what tone the relationship uses. Then, at a well-chosen moment, they reply inside a real thread. The message carries the genuine history beneath it and continues the conversation naturally, but the new part contains the payload: a link to a fake login, an attachment, or a quiet request to update payment details. Because everything above the reply is authentic, the recipient extends the same trust they always have.

Why it beats the usual defences

The standard advice for spotting phishing is to check the sender and be wary of unexpected messages. Conversation hijacking defeats both. The sender is real, or a convincing look-alike sitting in a real exchange, and the message is not unexpected at all, it is the continuation of a conversation the victim was already having. Filters see a legitimate thread between known parties. There are no spelling mistakes to catch and no unfamiliar address to flag. The only thing out of place is the request itself, which requires judgement rather than a rule to notice.

Where the danger usually lands

Two outcomes dominate. The first is payment fraud: a reply to a live invoice thread asks, ever so reasonably, to send this month’s payment to updated bank details. The second is onward compromise: a link or attachment continuing a project discussion harvests another set of credentials, letting the attack spread from one organisation into its partners and customers. Supplier accounts are especially prized, because a single hijacked mailbox can be used against a whole customer base that already trusts it.

How to defend against it

Verify money and links out-of-band

Make it routine to confirm any change of bank details, unexpected link, or unusual file through a separate, known channel, such as a phone call to a saved number, even when the request appears inside a familiar thread. This single habit defeats most conversation hijacking.

Stop mailboxes being hijacked

Since the attack depends on a compromised account, phishing-resistant MFA such as passkeys is the strongest preventive control. Add alerting on new inbox rules, unusual sign-ins and mail forwarding, which are common signs that an account has been taken over and is being quietly worked.

Learn the subtle tells

Teach staff to notice the small discrepancies: a reply-to address that differs slightly from the sender, a display name that no longer matches the real one, or a sudden change in tone or urgency within a thread. When the content of a message feels off, the history above it is not a reason to relax.

Train with realistic scenarios and make reporting easy

Include reply-chain and supplier-impersonation scenarios in your realistic simulations, so the tactic is familiar, and give people a frictionless way to report a suspicious email even when it appears to come from someone they know.

The bottom line

Conversation hijacking works because it weaponises trust that has already been earned. The sender, the history and the subject are all genuine, so the usual checks pass and the fraud rides in on their coat-tails. The answer is to move the trust from the message to the process: verify unexpected requests through a separate channel, keep mailboxes locked down so they cannot be hijacked, and teach people that a real thread is not a guarantee of a real request. When the content is what matters, the history stops being a free pass.

Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.

Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Scroll To Top Arrow