Conversation hijacking is the insertion of a fraudulent actor into an existing email thread so the request appears to continue a legitimate discussion. The attacker relies on prior message history, familiar tone, and trusted recipients to bypass human suspicion and complete the fraud path.
Expanded Definition
Conversation hijacking is a post-compromise fraud technique in which an attacker inserts themselves into an existing email thread and continues the exchange as if they belonged there. The attack works because the message chain already contains context, urgency, names, formatting, and trust signals that reduce scrutiny. In NHI and identity-adjacent security work, it is best understood as a message-integrity problem, not just a phishing variant.
Definitions vary across vendors, but the core mechanic is consistent: the attacker leverages a real conversation to steer a payment, credential reset, data transfer, or approval request. It often overlaps with business email compromise, mailbox takeover, and reply-chain abuse, yet it is more precise to reserve this term for attacks that exploit an existing thread rather than a brand-new lure. The NIST Cybersecurity Framework 2.0 emphasizes governance, protective controls, and detection that reduce this kind of trust abuse in communications workflows.
The most common misapplication is treating every suspicious reply as generic phishing, which occurs when defenders miss the fact that the attacker is abusing a legitimate thread with valid context and timing.
Examples and Use Cases
Implementing detection for conversation hijacking rigorously often introduces workflow friction, requiring organisations to weigh faster email handling against stronger verification of sensitive requests.
- A finance team receives a “follow-up” inside an existing vendor thread asking for updated bank details before a scheduled payment.
- An attacker who has access to one mailbox replies in a project thread and asks a colleague to approve a wire transfer or share a file.
- A compromised supplier account continues an open procurement discussion and redirects invoice instructions at the last step.
- A security team reviewing patterns in the Ultimate Guide to NHIs sees that thread-based abuse often follows broader identity weakness, including exposed credentials and excessive privileges.
- An enterprise maps email validation and escalation controls to guidance from the NIST Cybersecurity Framework 2.0 to require out-of-band verification for high-risk requests.
In practice, the term applies most cleanly when the attacker is not inventing a new persona from scratch, but instead hijacking trust already established in the conversation history.
Why It Matters in NHI Security
Conversation hijacking matters because it is often the human-facing end result of an identity failure somewhere upstream. A compromised mailbox, abused service account, stolen token, or leaked secret can all create the conditions for a trusted thread to be weaponized. NHI Management Group research shows that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, which helps explain how attackers sustain long-lived access paths that later surface as reply-chain fraud. The same research also shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, a reminder that thread abuse may begin with machine identity compromise even when the final action targets a person.
That is why conversation hijacking belongs in NHI governance, detection engineering, and incident response. Organisations need controls that limit mailbox and API exposure, enforce least privilege, and flag anomalous replies that arrive from compromised accounts or unfamiliar locations. The Ultimate Guide to NHIs highlights how widespread secret leakage and poor visibility into service accounts create the access conditions attackers rely on. Organisations typically encounter the operational impact only after a trusted thread has already driven a fraudulent payment or disclosure, at which point conversation hijacking becomes impossible to ignore.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Thread abuse often starts with compromised NHI secrets or mail access. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access control reduce mailbox abuse that enables reply-chain fraud. |
| NIST Zero Trust (SP 800-207) | SC-3 | Zero Trust requires continuous validation of message and identity trust boundaries. |
Reduce secret exposure and revoke compromised NHI access before attackers can hijack trusted conversations.
