Notifications
Clear all
Topic starter
27/06/2026 1:41 pm
TL;DR: Attackers hijacked trusted vendor accounts to inject malicious content into active email threads, bypassing SPF, DKIM and DMARC entirely and exposing a detection gap that live API-based monitoring made visible, according to Abnormal AI. Legacy email controls assume trust can be inferred from sender checks, but thread takeover turns that assumption into a containment problem.
NHIMG editorial — based on content published by Abnormal AI: Key Insights on email thread hijacking, trusted account abuse, and response automation
By the numbers:
- After replacing the legacy SEG, potential threats requiring attention dropped from roughly 1 in 100 messages to approximately 1 in a million.
Questions worth separating out
Q: What breaks when attackers hijack trusted email accounts instead of spoofing domains?
A: Sender authentication still works, but it no longer protects the user from abuse of a legitimate identity.
Q: Why do SPF, DKIM, and DMARC fail against email thread hijacking?
A: They verify message origin and integrity, not whether the account itself has been compromised or whether the content belongs in the thread.
Q: How can security teams tell if a trusted mailbox is being abused in practice?
A: Look for changes in thread participation, unusual reply timing, new link patterns, and messages that match the conversation format but not the sender’s normal behaviour.
Practitioner guidance
- Map which mailboxes can impersonate business trust Identify vendor, partner, executive, and shared mailboxes that can reach active threads with minimal scrutiny.
- Automate containment for compromised email identities Link compromise signals to session revocation, password or token reset, and mailbox quarantine so the first response does not depend on a manual runbook.
- Add behavioural review to mail authentication outcomes Use thread context, sender history, and message timing to review emails that pass SPF, DKIM, and DMARC but do not fit the conversation pattern.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- Examples of how live email traffic exposed the detection gap between a legacy SEG and behavioural analysis
- Details of the automated account takeover response flow, including session revocation and credential reset handling
- Practical discussion of API-based integration alongside an existing SEG without disrupting mail flow
- Operational lessons from reducing false positive and false negative handling through model updates
👉 Read Abnormal AI's analysis of email thread hijacking and account takeover response →
Email thread hijacking: what IAM teams need to do now?
Explore further
27/06/2026 3:07 pm
Trusted email relationships have become an identity attack surface. This article shows that attackers do not need to defeat SPF, DKIM, or DMARC when they can operate from a legitimate account already trusted by the business. The security failure is not message authenticity alone, but the assumption that authenticated senders remain trustworthy throughout the lifecycle of a conversation. Practitioners should treat trusted mailbox access as an identity control problem, not just a filtering problem.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a compromised vendor mailbox is used to launch phishing?
A: Responsibility is shared across the organisation that owns the mailbox, the teams that govern access and recovery, and the recipient side that must detect abnormal thread behaviour. The key accountability question is whether session revocation, credential reset, and message containment were automatic enough to stop further abuse before more users were affected.
👉 Read our full editorial: Email thread hijacking shows where legacy controls break down
