{
	"id": "9fee53f6-403a-4d9e-9fac-be7808d3a92b",
	"created_at": "2026-04-06T00:09:50.601735Z",
	"updated_at": "2026-04-10T13:11:24.022034Z",
	"deleted_at": null,
	"sha1_hash": "360e2f6154ad57dc6f20f508ef67948f963bb9e0",
	"title": "Case Study: Emotet Thread Hijacking, an Email Attack Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5373858,
	"plain_text": "Case Study: Emotet Thread Hijacking, an Email Attack Technique\r\nBy Brad Duncan\r\nPublished: 2020-09-23 · Archived: 2026-04-05 16:42:06 UTC\r\nExecutive Summary\r\nMalicious spam (malspam) pushing Emotet malware is the most common email-based threat, far surpassing other\r\nmalware families, with only a few other threats coming close.\r\nIn recent weeks, we have seen significantly more Emotet malspam using a technique called \"thread hijacking\" that\r\nutilizes legitimate messages stolen from infected computers' email clients. This malspam spoofs a legitimate user\r\nand impersonates a reply to the stolen email. Thread hijacked malspam is sent to addresses from the original\r\nmessage.\r\nThis technique is much more effective than less sophisticated methods, which many people have now learned to\r\nspot. The approach is more successful at convincing potential victims to click on an attached file, or to click on a\r\nlink to download a malicious Word document with macros designed to infect a user with Emotet.\r\nHere, we review a case study of Emotet's thread hijacking process so we can better recognize and understand this\r\ntechnique.\r\nPalo Alto Networks customers are protected from this threat because our Threat Prevention security subscription\r\ndetects and prevents these types of Emotet infections. AutoFocus users can track Emotet activity using\r\nthe Emotet tag.\r\nhttps://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nPage 1 of 8\n\nFigure 1. Visual representation of Emotet’s thread hijacking process.\r\nCase Study Timeline\r\nTo illustrate Emotet's thread hijacking process, our case study focuses on an infection from Sept. 3, 2020. In this\r\nexample, Emotet hijacks the most recent email in an Outlook inbox from an infected host.\r\nThe timeline is:\r\n15:35 UTC – Legitimate message received by email client on host.\r\n16:31 UTC – Host infected with Emotet.\r\n16:34 UTC – Legitimate message collected from infected host is sent through Emotet command and\r\ncontrol (C2) traffic.\r\n18:22 UTC – Emotet botnet sends spoofed email using legitimate message from the infected host.\r\nThis process took one hour and 51 minutes to progress from the infection to the arrival of a thread-hijacked email.\r\nLegitimate Email From the Infected Host\r\nIn our example, a vulnerable Windows 10 host used Microsoft Outlook as its email client. Outlook was\r\nsynchronized to a Microsoft account at k*********.r*******@outlook.com (we have redacted information from\r\nthe email addresses for this case study). The most recent message in the infected host’s email client is shown in\r\nFigure 2, and we have loaded a redacted copy of the legitimate email to GitHub.\r\nhttps://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nPage 2 of 8\n\nFigure 2. Most recent email from an infected host’s Outlook client.\r\nAs we see in Figure 2, the most recent email was received at 15:35 UTC, approximately one hour before the host\r\nwas infected with Emotet. This email is a response from t****.h******@yahoo.com to a previous message from\r\nk*********.r*******@outlook.com.\r\nData Exfiltration Through C2 Traffic\r\nEmotet uses HTTP POST requests over C2 traffic to send data collected from the infected host. This data is\r\nencoded or otherwise encrypted before it is sent over HTTP.\r\nMost of these POST requests contain only a small amount of encoded data from the infected host, often much less\r\nthan 1,000 bytes. These requests contain an extra 4 kB of data for padding and form header data. Figure 3 shows a\r\ntypical example of Emotet C2 traffic from our case study.\r\nhttps://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nPage 3 of 8\n\nFigure 3. Example of HTTP POST data from Emotet C2 traffic in our case study.\r\nSince the amount of encoded data is so small, it does not contain any email chain data collected from the infected\r\nuser’s email client. However, at 16:34 UTC, we find 13.9 kB of encoded data sent over Emotet HTTP C2 traffic as\r\nshown in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nPage 4 of 8\n\nFigure 4. Approximately 13.9 kB of encoded data in Emotet C2 traffic at 16:34 UTC.\r\nThis amount is large enough to contain email chain data collected from the infected Windows host. It is the only\r\nsignificant amount of data sent in HTTP POST requests from the Emotet-infected host before we find the thread-hijacked email at 18:22 UTC.\r\nSpoofed Message From Hijacked Email\r\nAt 18:22 UTC, a spoofed email was received by t****.h******@yahoo.com, the Yahoo account that had sent the\r\nmost recent message in correspondence to the infected host. It contains an attached Word document with macros\r\nfor Emotet. This message is shown in Figure 5, and we have loaded a copy of the spoofed email to GitHub.\r\nhttps://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nPage 5 of 8\n\nFigure 5. Hijacked email sent from the Emotet botnet.\r\nThe message is a reply to t****.h******@yahoo.com that spoofs k*********.r*******@outlook.com from the\r\ninfected host.\r\nThese thread-hijacked messages either have an attached file, or they have a link to download a malicious Word\r\ndocument with macros designed to infect a vulnerable host with Emotet.\r\nEmotet’s thread-hijacked message from this case study spoofed the name in the sending address line from the\r\ninfected host. Headers from the spoofed message indicate the actual sender may have been from a botnet host in\r\nhttps://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nPage 6 of 8\n\nBrazil, or a Brazil-based host may have been used to relay the message. Botnet hosts from all over the world are\r\nused to send these thread-hijacked messages from Emotet infections.\r\nFigure 6. Header lines from hijacked message sent to t****.h******@yahoo.com.\r\nThese spoofed messages tend to be the most recent emails from a victim’s email client because those are the most\r\nlikely to fool someone.\r\nOf note, we cannot always assume the spoofed sending address is from an infected victim. If the original message\r\nfrom an infected victim has multiple recipients, a hijacked email could spoof one of the other recipients.\r\nConclusion\r\nWe’ve stored an example of the legitimate email that was hijacked in this case study.\r\nWe’ve also stored an example of the spoofed messages sent from the Emotet botnet.\r\nThe pcap of infection traffic from this case study is also available.\r\nThis case study shows an example of Emotet thread hijacking so we can better understand how Emotet malware\r\nutilizes this technique. Emotet is a very active threat that constantly updates its malware in an attempt to evade\r\ndetection. This vector of infection can reach a great deal of potential victims.\r\nHowever, organizations with effective spam filtering that follow best security practices have a much lower risk\r\nfrom this infection vector. Palo Alto Networks customers are further protected from this threat, because our Threat\r\nhttps://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nPage 7 of 8\n\nPrevention security subscription detects and prevents these types of Emotet infections. AutoFocus users can track\r\nEmotet activity using the Emotet tag.\r\nSource: https://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nhttps://unit42.paloaltonetworks.com/emotet-thread-hijacking/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/emotet-thread-hijacking/"
	],
	"report_names": [
		"emotet-thread-hijacking"
	],
	"threat_actors": [],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/360e2f6154ad57dc6f20f508ef67948f963bb9e0.pdf",
		"text": "https://archive.orkl.eu/360e2f6154ad57dc6f20f508ef67948f963bb9e0.txt",
		"img": "https://archive.orkl.eu/360e2f6154ad57dc6f20f508ef67948f963bb9e0.jpg"
	}
}