Search

Threat Actors Leverage Enterprise Email Threads to Deliver Phishing Links

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

CISOs and Security Leaders to Watch in Australian Telecom

Australia’s telecommunications sector sits at the crossroads of national...
Read more
Cyber threats and incidents

Threat Actors Leverage Enterprise Email Threads to Deliver Phishing Links

What happened Threat actors are leveraging real enterprise email threads...
Read more
Cyber threats and incidents

Fraud Campaigns Targeting Canadian Citizens Using Lookalike Government and Service Portals

What happened Fraud campaigns are targeting Canadian citizens by exploiting...
Read more
Cyber threats and incidents

Swarmer Tool Evading EDR With Stealthy Windows Registry Persistence

What happened The Swarmer tool evading EDR with a stealthy...
Read more
Cyber threats and incidents

Check Point Harmony SASE Windows Client Vulnerability Enables Privilege Escalation

What happened A privilege-escalation vulnerability in the Check Point Harmony...
Read more

Share

What happened

Threat actors are leveraging real enterprise email threads to deliver phishing links by hijacking ongoing business conversations and inserting malicious URLs that mimic legitimate authentication pages. In a supply chain phishing incident, attackers inserted themselves into an active email thread among C-suite executives discussing a document pending final approval, replying with a link that resembled a Microsoft 365 authentication form. The intruder’s access stemmed from a compromised sales manager account at an enterprise contractor, enabling seamless insertion into the trusted thread. Analysis shows this campaign has been active since December 2025, primarily against firms in the Middle East, and attackers used a proxy-aware EvilProxy phishkit that evades traditional session-based detection to capture credentials. Sandbox testing revealed callbacks to command-and-control servers and session token exfiltration once victims engaged with the phishing flow. 

Who is affected

Organizations with active enterprise email communications are directly exposed to this threat when attackers infiltrate legitimate threads to deliver phishing links that harvest credentials. The exposure arises from compromised contractor accounts and the use of trusted conversational history to bypass technical and human defenses. 

Why CISOs should care

This campaign illustrates how threat actors are evolving beyond cold phishing lures to exploit the implicit trust in real email conversations and hijacked accounts, combining social engineering with credential harvesting via proxy-aware phishing tools. Understanding this vector is relevant for email security risk assessments and defenses against increasingly sophisticated phishing methods. 

3 practical actions

  • Audit compromised accounts. Investigate and remediate any contractor or partner accounts that may have been compromised to prevent thread hijacking. 
  • Enhance email security filters. Update phishing detection frameworks to identify and block links that mimic trusted authentication flows, including proxy-aware phishkits. 
  • Educate users on thread integrity. Communicate to staff how abnormal replies in existing threads can signal phishing attempts and encourage verification before engaging with unexpected links.
Previous article
Fraud Campaigns Targeting Canadian Citizens Using Lookalike Government and Service Portals
Next article
CISOs and Security Leaders to Watch in Australian Telecom
Founders, Analysts & Industry Voices

CISOs and Security Leaders to Watch in Australian Telecom

Australia’s telecommunications sector sits at the crossroads of national...
Cyber threats and incidents

Fraud Campaigns Targeting Canadian Citizens Using Lookalike Government and Service Portals

What happened Fraud campaigns are targeting Canadian citizens by exploiting...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.