Attackers are inserting malicious links into ongoing business conversations rather than sending cold phishing messages.
Security researchers observed a phishing campaign in which attackers gained access to an existing enterprise email thread involving senior executives and used it to distribute credential harvesting links. According to Cybersecurity News, the attackers replied directly within a legitimate approval discussion and inserted a link that led to a fake Microsoft login page. The intrusion was traced back to a compromised sales manager account at a third-party contractor, allowing the attacker to appear as a trusted participant in the conversation.
The campaign shows how attackers are shifting away from random phishing emails and instead exploiting everyday business communication. After compromising a contractor’s account, the attacker began replying to and forwarding existing internal emails, using real message history to appear legitimate. With the use of real message history, the messages became far more convincing than a typical cold phishing attempt.
Recipients were eventually directed to a phishing sequence that included bot detection and human verification steps, filtering out automated security analysis before presenting the credential harvesting page. The underlying infrastructure used proxy-based phishing tools designed to capture both login credentials and active session tokens, allowing access without triggering standard security alerts. Researchers connected the activity to a broader campaign operating since late 2025, with many of the identified victims located in the Middle East, particularly within finance and infrastructure sectors.
Analysts said the campaign succeeded without exploiting any software flaws, relying instead on social trust embedded in legitimate email conversations. According to analysis cited by Cybersecurity News, “No zero-days or exploits were needed; success hinged on business trust and conversation hijacking,” because the phishing messages originated from real internal threads involving known participants and passed standard email authentication checks.
Researchers noted that this allowed the messages to bypass many filtering controls, even in enterprise environments. They also observed that the credential-harvesting pages closely replicated standard Microsoft authentication workflows, using layered verification screens that appeared routine to users. Once a link was clicked, attackers were able to capture credentials and active session tokens in under a minute, demonstrating how quickly trusted email context can be weaponized.
Research shows that Business Email Compromise, or BEC, attacks rely on social engineering, meaning they manipulate people rather than systems, to exploit trusted email conversations and trigger financial or data loss, making email filtering alone insufficient. A review published in MDPI explains that attackers frequently impersonate legitimate contacts or interfere with normal communication channels to bypass basic controls. Effective defenses therefore require both organizational and technical measures, including stronger internal process controls, awareness training focused specifically on BEC tactics rather than generic phishing, separation of duties so one person cannot both request and approve payments, and proactive detection and response strategies that assume attackers may already be operating within routine correspondence.
Thread hijacking has become a common tactic in business email compromise attacks because it exploits familiarity rather than malware. Writing for Krebs on Security, Proofpoint chief strategy officer Ryan Kalember said these attacks work because recipients believe they are being pulled into an existing, legitimate conversation. “It works because you feel like you’re suddenly included in an important conversation,” Kalember said. He added that some campaigns involve multiple attackers actively replying to one another on the same thread, creating what Proofpoint calls “multi-persona phishing.” The longer the exchange continues, Kalember noted, the more likely victims are to respond and engage, increasing the chance of fraud or credential exposure.
Messages inherit trust from existing conversations, making recipients less likely to question links or attachments.
They often start by compromising vendor or contractor accounts that already communicate with the target organization.
Authentication checks pass because the sender account is legitimate and already trusted within the organization.
They capture credentials and session tokens in real time while relaying traffic to the legitimate service, reducing visible warning signs.
They can limit third-party access, require out-of-band verification for approvals, train staff to scrutinize unexpected links even in known threads, and monitor for unusual reply behavior within executive conversations.