Threat Actors Leverage Enterprise Email Threads to Deliver Phishing Links

What happened

Threat actors are leveraging real enterprise email threads to deliver phishing links by hijacking ongoing business conversations and inserting malicious URLs that mimic legitimate authentication pages. In a supply chain phishing incident, attackers inserted themselves into an active email thread among C-suite executives discussing a document pending final approval, replying with a link that resembled a Microsoft 365 authentication form. The intruder’s access stemmed from a compromised sales manager account at an enterprise contractor, enabling seamless insertion into the trusted thread. Analysis shows this campaign has been active since December 2025, primarily against firms in the Middle East, and attackers used a proxy-aware EvilProxy phishkit that evades traditional session-based detection to capture credentials. Sandbox testing revealed callbacks to command-and-control servers and session token exfiltration once victims engaged with the phishing flow. 

Who is affected

Organizations with active enterprise email communications are directly exposed to this threat when attackers infiltrate legitimate threads to deliver phishing links that harvest credentials. The exposure arises from compromised contractor accounts and the use of trusted conversational history to bypass technical and human defenses. 

Why CISOs should care

This campaign illustrates how threat actors are evolving beyond cold phishing lures to exploit the implicit trust in real email conversations and hijacked accounts, combining social engineering with credential harvesting via proxy-aware phishing tools. Understanding this vector is relevant for email security risk assessments and defenses against increasingly sophisticated phishing methods. 

3 practical actions

• Audit compromised accounts. Investigate and remediate any contractor or partner accounts that may have been compromised to prevent thread hijacking. 
• Enhance email security filters. Update phishing detection frameworks to identify and block links that mimic trusted authentication flows, including proxy-aware phishkits. 
• Educate users on thread integrity. Communicate to staff how abnormal replies in existing threads can signal phishing attempts and encourage verification before engaging with unexpected links.