{
	"id": "3160e47e-1e2a-4b63-8903-c64407f37dc0",
	"created_at": "2026-04-06T00:16:01.282271Z",
	"updated_at": "2026-04-10T13:11:50.297377Z",
	"deleted_at": null,
	"sha1_hash": "34057c323cd8d269eec8cb7d4ecd18b1dcf3b2cc",
	"title": "Thread Hijacking: Phishes That Prey on Your Curiosity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 381770,
	"plain_text": "Thread Hijacking: Phishes That Prey on Your Curiosity\r\nPublished: 2024-03-29 · Archived: 2026-04-05 22:44:13 UTC\r\nThread hijacking attacks. They happen when someone you know has their email account compromised, and you\r\nare suddenly dropped into an existing conversation between the sender and someone else. These missives draw on\r\nthe recipient’s natural curiosity about being copied on a private discussion, which is modified to include a\r\nmalicious link or attachment. Here’s the story of a thread hijacking attack in which a journalist was copied on a\r\nphishing email from the unwilling subject of a recent scoop.\r\nIn Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a\r\nwealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including\r\nRep. Lloyd Smucker (R-Pa).\r\nThe LancasterOnline story about Adam Kidan.\r\nSeveral months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of\r\nwhich contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a\r\ncolleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from\r\nKidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the\r\nattached.”\r\nhttps://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/\r\nPage 1 of 3\n\nSholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly\r\nlike a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted\r\ncredentials at the real Microsoft website, and return an error if the user entered bogus account information. A\r\nsuccessful login would record the submitted credentials and forward the victim to the real Microsoft website.\r\nBut Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to\r\nLancasterOneline’s IT team, which quickly flagged them as phishing attempts.\r\nLancasterOnline Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows\r\nin the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.\r\n“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would\r\ncome from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know\r\nwhat else to do with it other than to send it to the FBI.”\r\nThe phishing lure attached to the thread hijacking email from Mr. Kidan.\r\nIn 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with\r\nJack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence\r\npeddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.\r\nThe FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails\r\naddresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went\r\nunreturned.\r\nhttps://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/\r\nPage 2 of 3\n\nNo doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his\r\nMicrosoft Outlook account compromised and used to send malicious email to people in his contacts list.\r\nThread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how\r\nto identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in\r\nthe last five years that leverage this attack method.\r\nOne key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes\r\nmost phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences\r\nshould you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going\r\nthrough.\r\nIn contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.\r\nRyan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread\r\nhijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email\r\nfrom a senior executive into wiring millions of dollars to fraudsters overseas.\r\nBut Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people\r\noff-guard.\r\n“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just\r\nregisters a lot differently when people start reading, because you think you’re observing a private conversation\r\nbetween two different people.”\r\nSome thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying\r\n— but not addressing — the recipient.\r\n“We call these multi-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s\r\nbasically a way to build a little more affinity than just copying people on an email. And the longer the\r\nconversation goes on, the higher their success rate seems to be because some people start replying to the thread\r\n[and participating] psycho-socially.”\r\nThe best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in\r\nemails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath\r\nand visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential\r\ntyposquatting sites.\r\nSource: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/\r\nhttps://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/"
	],
	"report_names": [
		"thread-hijacking-phishes-that-prey-on-your-curiosity"
	],
	"threat_actors": [],
	"ts_created_at": 1775434561,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34057c323cd8d269eec8cb7d4ecd18b1dcf3b2cc.pdf",
		"text": "https://archive.orkl.eu/34057c323cd8d269eec8cb7d4ecd18b1dcf3b2cc.txt",
		"img": "https://archive.orkl.eu/34057c323cd8d269eec8cb7d4ecd18b1dcf3b2cc.jpg"
	}
}