Search

Threat Actors Leverage Enterprise Email Threads to Deliver Phishing Links

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

Amazon SES Increasingly Abused in Phishing to Evade Detection

What happened Threat actors are exploiting Amazon Simple Email Service...
Read more
Cyber threats and incidents

Robinhood Account Creation Flaw Abused to Send Phishing Emails

What happened Threat actors exploited a flaw in Robinhood's account...
Read more
Cyber threats and incidents

NASA Employees Duped in Chinese Phishing Scheme Targeting Defense Software

What happened NASA's Office of Inspector General has released details...
Read more
Cyber threats and incidents

Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks

What happened A law enforcement operation in early March seized...
Read more
Cyber threats and incidents

Dutch Police Discloses Security Breach After Phishing Attack

What happened The Dutch National Police disclosed a security breach...
Read more

Share

What happened

Threat actors are leveraging real enterprise email threads to deliver phishing links by hijacking ongoing business conversations and inserting malicious URLs that mimic legitimate authentication pages. In a supply chain phishing incident, attackers inserted themselves into an active email thread among C-suite executives discussing a document pending final approval, replying with a link that resembled a Microsoft 365 authentication form. The intruder’s access stemmed from a compromised sales manager account at an enterprise contractor, enabling seamless insertion into the trusted thread. Analysis shows this campaign has been active since December 2025, primarily against firms in the Middle East, and attackers used a proxy-aware EvilProxy phishkit that evades traditional session-based detection to capture credentials. Sandbox testing revealed callbacks to command-and-control servers and session token exfiltration once victims engaged with the phishing flow. 

Who is affected

Organizations with active enterprise email communications are directly exposed to this threat when attackers infiltrate legitimate threads to deliver phishing links that harvest credentials. The exposure arises from compromised contractor accounts and the use of trusted conversational history to bypass technical and human defenses. 

Why CISOs should care

This campaign illustrates how threat actors are evolving beyond cold phishing lures to exploit the implicit trust in real email conversations and hijacked accounts, combining social engineering with credential harvesting via proxy-aware phishing tools. Understanding this vector is relevant for email security risk assessments and defenses against increasingly sophisticated phishing methods. 

3 practical actions

  • Audit compromised accounts. Investigate and remediate any contractor or partner accounts that may have been compromised to prevent thread hijacking. 
  • Enhance email security filters. Update phishing detection frameworks to identify and block links that mimic trusted authentication flows, including proxy-aware phishkits. 
  • Educate users on thread integrity. Communicate to staff how abnormal replies in existing threads can signal phishing attempts and encourage verification before engaging with unexpected links.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
Fraud Campaigns Targeting Canadian Citizens Using Lookalike Government and Service Portals
Next article
CISOs and Security Leaders to Watch in Australian Telecom

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.