Case Study: Emotet Thread Hijacking, an Email Attack Technique

Case Study: Emotet Thread Hijacking, an Email Attack Technique

This post is also available in: 日本語 (Japanese)


Executive Summary


Malicious spam (malspam) pushing Emotet malware is the most common email-based threat, far surpassing other malware families, with only a few other threats coming close.


In recent weeks, we have seen significantly more Emotet malspam using a technique called “thread hijacking” that utilizes legitimate messages stolen from infected computers’ email clients. This malspam spoofs a legitimate user and impersonates a reply to the stolen email. Thread hijacked malspam is sent to addresses from the original message.


This technique is much more effective than less sophisticated methods, which many people have now learned to spot. The approach is more successful at convincing potential victims to click on an attached file, or to click on a link to download a malicious Word document with macros designed to infect a user with Emotet.


Here, we review a case study of Emotet’s thread hijacking process so we can better recognize and understand this technique.


Palo Alto Networks customers are protected from this threat because our Threat Prevention security subscription detects and prevents these types of Emotet infections. AutoFocus users can track Emotet activity using the Emotet tag.


Figure 1. Visual representation of Emotet’s thread hijacking process.

Case Study Timeline


To illustrate Emotet’s thread hijacking process, our case study focuses on an infection from Sept. 3, 2020. In this example, Emotet hijacks the most recent email in ..

Support the originator by clicking the read the rest link below.