{"id":18033,"date":"2026-01-28T12:07:27","date_gmt":"2026-01-28T12:07:27","guid":{"rendered":"\/cybersecurity-blog\/?p=18033"},"modified":"2026-01-28T12:24:13","modified_gmt":"2026-01-28T12:24:13","slug":"enterprise-email-thread-phishing","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/","title":{"rendered":"Attackers\u00a0Are Taking\u00a0Over\u00a0Real\u00a0Email Threads\u00a0to Deliver\u00a0Phishing: New Enterprise Risk"},"content":{"rendered":"\n<p>Think you can trust every email that comes from a business partner?&nbsp;<\/p>\n\n\n\n<p>Unfortunately,&nbsp;that\u2019s&nbsp;no longer guaranteed; attackers now slip into legitimate threads and send messages that&nbsp;look fully authentic.&nbsp;&nbsp;<\/p>\n\n\n\n<p>That\u2019s&nbsp;exactly what happened in a new case uncovered by&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN researchers<\/a>; a trust takeover inside&nbsp;a real executive&nbsp;discussion about a document awaiting final approval.&nbsp;&nbsp;<\/p>\n\n\n\n<p>By detonating the suspicious message,&nbsp;the&nbsp;investigation&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">exposed the full execution chain<\/a>&nbsp;and&nbsp;linked it to a broader phishing campaign already active&nbsp;since 2025.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s&nbsp;find out&nbsp;how this attack worked,&nbsp;and how your team can detect similar threats faster, safely, and without disrupting business processes.&nbsp;<\/p>\n\n\n\n<p><strong>TL;DR&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Initial access:<\/strong>&nbsp;Likely compromise&nbsp;of a contractor mailbox already involved in the thread, enabling&nbsp;<strong>conversation hijacking<\/strong>&nbsp;inside&nbsp;a real C-suite&nbsp;approval flow.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attack&nbsp;chain:<\/strong>&nbsp;SCA phishing email \u2192 7x forwards \u2192 phishing link \u2192 Cloudflare Turnstile antibot page \u2192 Turnstile-protected phishing page \u2192&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/evilproxy\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>EvilProxy<\/strong><\/a>&nbsp;AiTM&nbsp;for Microsoft credential theft.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Evasion:<\/strong>&nbsp;Multi-step redirects + Turnstile mean the final phishing content is only exposed during&nbsp;<strong>real execution<\/strong>, not simple URL or static checks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detection:<\/strong>&nbsp;Behavioral detonation is&nbsp;required&nbsp;to see the full chain and confirm intent; static analysis alone is unlikely to flag it reliably.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Campaign context:<\/strong>&nbsp;Pivoting domains, URL paths (\/bot,&nbsp;\/robot), and patterns like&nbsp;loginmicrosoft*&nbsp;in&nbsp;<a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktoregistration#register?redirect-ref=intelligence.any.run\/analysis\/lookup\" target=\"_blank\" rel=\"noreferrer noopener\">TI&nbsp;Lookup<\/a>&nbsp;maps this incident to a broader&nbsp;EvilProxy&nbsp;campaign, and&nbsp;supports hunting + detection engineering with both IOCs and IOBs.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">New Phishing Attack Overview&nbsp;<\/h2>\n\n\n\n<p>This incident started as something that&nbsp;looked completely normal from the outside: a live email discussion about a document waiting for final approval. It&nbsp;didn\u2019t&nbsp;contain&nbsp;any strange subject line or a cold intro. Just a reply that appeared to belong in the thread.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"667\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Attackers-Taking-Over-a-Real-Enterprise-Email-Thread-to-Deliver-Phishing--1024x667.png\" alt=\"A phishing email sent from contractor\u2019s sales manager account\" class=\"wp-image-18037\" style=\"width:594px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Attackers-Taking-Over-a-Real-Enterprise-Email-Thread-to-Deliver-Phishing--1024x667.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Attackers-Taking-Over-a-Real-Enterprise-Email-Thread-to-Deliver-Phishing--300x195.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Attackers-Taking-Over-a-Real-Enterprise-Email-Thread-to-Deliver-Phishing--768x500.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Attackers-Taking-Over-a-Real-Enterprise-Email-Thread-to-Deliver-Phishing--370x241.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Attackers-Taking-Over-a-Real-Enterprise-Email-Thread-to-Deliver-Phishing--270x176.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Attackers-Taking-Over-a-Real-Enterprise-Email-Thread-to-Deliver-Phishing--740x482.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Attackers-Taking-Over-a-Real-Enterprise-Email-Thread-to-Deliver-Phishing-.png 1464w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>An email sent from contractor\u2019s sales manager account,&nbsp;containing&nbsp;phishing link<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>What made it dangerous was the access path.<\/strong>&nbsp;The attacker&nbsp;likely got&nbsp;into a supplier-side mailbox (a contractor\u2019s sales manager account) and used that trusted identity to respond directly inside the&nbsp;active discussion among C-suite executives about&nbsp;a document pending final approval.&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Initial access (suspected):<\/strong>&nbsp;Compromised contractor account that was already involved in business correspondence.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Delivery method:<\/strong>&nbsp;Conversation hijacking inside an existing C-suite thread.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Goal:<\/strong>&nbsp;Steal Microsoft credentials through a fake authentication page.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Protection evasion:<\/strong>&nbsp;Layered redirects and anti-bot gating designed to keep the content \u201cclean\u201d until a real user interacts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Campaign link:<\/strong>&nbsp;Indicators connected to a broader operation consistent with the&nbsp;<strong>EvilProxy<\/strong>&nbsp;phishkit, active since early&nbsp;<strong>December 2025<\/strong>, with primary targeting in the&nbsp;<strong>Middle East.<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Execution Chain&nbsp;Observed&nbsp;Step-by-Step&nbsp;<\/h2>\n\n\n\n<p>SCA phishing email \u2192 7 forwarded messages \u2192 phishing link \u2192 anti-bot landing page (Cloudflare Turnstile) \u2192 phishing page (Cloudflare Turnstile) \u2192&nbsp;EvilProxy&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-1024x538.png\" alt=\"\" class=\"wp-image-18087\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Execution-chain-revealed-by-ANY.RUN_-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Execution chain\u00a0revealed by ANY.RUN researchers\u00a0<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">1) SCA phishing email (initial&nbsp;entry into the supply chain)&nbsp;<\/h3>\n\n\n\n<p>The campaign begins with a message designed to&nbsp;look like routine business communication from the supply chain side (contractor\/vendor context). The goal at this stage is simple: land the first message in an inbox that\u2019s already part of&nbsp;real business&nbsp;workflows, so later steps inherit trust.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEquip your SOC with <span class=\"highlight\">early phishing<\/span> detection \n<br>Bring MTTD to <span class=\"highlight\">15 seconds<\/span> with ANY.RUN\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Enterprise-email-thread-phishing&#038;utm_term=280126&#038;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nIntegrate now\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2) 7 forwarded messages (conversation momentum + legitimacy)&nbsp;<\/h3>\n\n\n\n<p>The attacker&nbsp;didn\u2019t&nbsp;need to write a convincing pitch. The thread did that work for them. As the email was&nbsp;forwarded&nbsp;across stakeholders, it picked up real context, real names, and the natural \u201cwe\u2019re already discussing this\u201d signal that makes people drop their guard. By the time it landed with executives, the link&nbsp;looked like just another step in a legitimate approval flow, not a new request that needed to be questioned.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"364\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/An-email-sent-by-attackers-1024x364.png\" alt=\"An email sent by attackers using contractor\u2019s account\u00a0\" class=\"wp-image-18039\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/An-email-sent-by-attackers-1024x364.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/An-email-sent-by-attackers-300x107.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/An-email-sent-by-attackers-768x273.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/An-email-sent-by-attackers-370x132.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/An-email-sent-by-attackers-270x96.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/An-email-sent-by-attackers-740x263.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/An-email-sent-by-attackers.png 1464w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>An email sent by attackers using contractor\u2019s sales manager account<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">3) Phishing link (the moment of action)&nbsp;<\/h3>\n\n\n\n<p>The link is placed where it&nbsp;looks expected: tied to \u201creview,\u201d \u201cfinal approval,\u201d or \u201cdocument access.\u201d&nbsp;It\u2019s&nbsp;not framed as suspicious or urgent in a classic way.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1012\" height=\"616\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/fake-document-.png\" alt=\"Attackers\u00a0encouraging\u00a0the potential victim to open the\u00a0fake document\" class=\"wp-image-18040\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/fake-document-.png 1012w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/fake-document--300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/fake-document--768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/fake-document--370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/fake-document--270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/fake-document--740x450.png 740w\" sizes=\"(max-width: 1012px) 100vw, 1012px\" \/><figcaption class=\"wp-element-caption\"><em>Attackers&nbsp;encouraging&nbsp;the potential victim to open the&nbsp;fake document<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">4) Anti-bot landing page with Cloudflare Turnstile (filtering for real users)&nbsp;<\/h3>\n\n\n\n<p>After clicking, the victim&nbsp;doesn\u2019t&nbsp;land on the phishing form&nbsp;immediately. First, they hit an intermediary page protected by&nbsp;<strong>Cloudflare Turnstile<\/strong>. This step helps the attackers in two ways:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It screens out automated scanners and some security crawlers.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It delays exposure of the real phishing content until a human completes the check.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"773\" height=\"616\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-gate-1-.png\" alt=\"\" class=\"wp-image-18042\" style=\"width:534px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-gate-1-.png 773w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-gate-1--300x239.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-gate-1--768x612.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-gate-1--370x295.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-gate-1--270x215.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-gate-1--740x590.png 740w\" sizes=\"(max-width: 773px) 100vw, 773px\" \/><figcaption class=\"wp-element-caption\"><em>Security verification done inside ANY.RUN\u2019s&nbsp;sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">5) Phishing page with Cloudflare Turnstile (second gate before credential capture)&nbsp;<\/h3>\n\n\n\n<p>Once the user passes the first gate,&nbsp;they\u2019re&nbsp;redirected to the phishing&nbsp;page;&nbsp;often with another&nbsp;<strong>Turnstile<\/strong>&nbsp;challenge. This extra layer reduces automated analysis success even more and increases the chance that the only \u201creal\u201d views of the credential page come from actual targets.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"484\" height=\"404\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-done-inside-ANY.RUN_.png\" alt=\"\" class=\"wp-image-18041\" style=\"width:476px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-done-inside-ANY.RUN_.png 484w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-done-inside-ANY.RUN_-300x250.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-done-inside-ANY.RUN_-370x309.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Security-verification-done-inside-ANY.RUN_-270x225.png 270w\" sizes=\"(max-width: 484px) 100vw, 484px\" \/><figcaption class=\"wp-element-caption\"><em>The second Cloudflare verification before arriving to the phishing page<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">6)&nbsp;EvilProxy&nbsp;(credential theft via adversary-in-the-middle)&nbsp;<\/h3>\n\n\n\n<p>After passing the gates, the user is presented with a&nbsp;<strong>fake Microsoft authentication flow<\/strong>&nbsp;that\u2019s&nbsp;built to steal credentials in a way that works even when users have strong security habits. The intent is to capture what the attacker needs to access the account and continue the intrusion,&nbsp;often by expanding access to other threads, mailboxes, and internal resources.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"122\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Social-engineering-attempt-discovered-1024x122.png\" alt=\"\" class=\"wp-image-18043\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Social-engineering-attempt-discovered-1024x122.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Social-engineering-attempt-discovered-300x36.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Social-engineering-attempt-discovered-768x92.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Social-engineering-attempt-discovered-370x44.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Social-engineering-attempt-discovered-270x32.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Social-engineering-attempt-discovered-740x89.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Social-engineering-attempt-discovered.png 1112w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Social engineering attempt discovered by ANY.RUN&nbsp;sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Why&nbsp;Thread-Hijack&nbsp;Phishing is a&nbsp;Different&nbsp;Class of&nbsp;Business&nbsp;Risk&nbsp;<\/h2>\n\n\n\n<p>Supply chain phishing has changed. Modern campaigns run like full operations,&nbsp;built to blend into real workflows and scale quietly across vendors and partners. The biggest shift is simple: these attacks exploit&nbsp;<strong>business trust<\/strong>, not technical vulnerabilities.&nbsp;<\/p>\n\n\n\n<p>What makes this wave different:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Layered social engineering:<\/strong>&nbsp;Targets are guided through multiple steps that&nbsp;feel normal in day-to-day work (review \u2192 approval \u2192 sign-in), so the \u201crisk moment\u201d gets buried inside routine actions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Real conversation hijacking:<\/strong>&nbsp;Attackers reply inside an existing email thread, borrowing the credibility of a live discussion instead of trying to create it from scratch.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PhaaS-like infrastructure:<\/strong>&nbsp;Behind the scenes, the flow runs on multi-layer redirect chains, anti-bot gates, and rapidly changing domains; the kind of scale and setup that increasingly mirrors phishing-as-a-service platforms.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Low-noise, high-impact execution:<\/strong>&nbsp;Fewer messages, more credibility, and a shorter window for defenders to catch it before credentials are handed over.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How SOC Teams Can Spot and Confirm These Attacks Faster&nbsp;<\/h2>\n\n\n\n<p>Thread-hijack phishing is built to pass \u201cquick checks.\u201d The only reliable way to beat it is to run a repeatable cycle that moves from early signals \u2192 proof \u2192 context \u2192 action \u2192 prevention. With ANY.RUN, teams can&nbsp;validate&nbsp;suspicious activity safely, uncover full campaigns, and strengthen detections in minutes,&nbsp;instead&nbsp;of&nbsp;hours.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s&nbsp;how to do it step-by-step:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1.&nbsp;Reveal&nbsp;the True Intent Behind Suspicious Links and Files&nbsp;<\/h3>\n\n\n\n<p>Once a thread-hijack email lands in someone\u2019s inbox, the biggest mistake teams make is relying on quick checks. These attacks are built to&nbsp;look clean until the moment a real person interacts.&nbsp;That\u2019s&nbsp;why the first step is always&nbsp;<strong>safe detonation<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Running the link or file in&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s controlled&nbsp;environment<\/a>&nbsp;exposes the&nbsp;<em>real<\/em>&nbsp;behavior of the attack, redirects, anti-bot gates, phishing pages, injected scripts, even the steps that&nbsp;remain&nbsp;hidden from static scans. In most cases, the full flow becomes visible in&nbsp;<strong>under 60 seconds<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"554\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-1024x554.png\" alt=\"Fake Microsoft login page discovered inside ANY.RUN\" class=\"wp-image-18044\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-1024x554.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-768x416.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-1536x832.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-2048x1109.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Fake-Microsoft-login-page-740x401.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Microsoft login page discovered inside ANY.RUN\u2019s&nbsp;sandbox&nbsp;in 60 seconds<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This is where teams get their first advantage:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>94% report faster triage<\/strong>, because they are no longer guessing or waiting for confirmation.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The verdict becomes evidence-based, not subjective.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>High-pressure approvals stop turning into high-risk blind spots.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Revealing&nbsp;intent early reduces workload for Tier-1 and prevents escalation&nbsp;loops that quietly drain SOC time and budget.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGive your team <span class=\"highlight\">faster<\/span> threat validation\n<br>Detect <span class=\"highlight\">hidden phishing<\/span> flows\u00a0instantly\u00a0\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Enterprise-email-thread-phishing&#038;utm_term=280126&#038;utm_content=linktoregistration\" target=\"_blank\" rel=\"noopener\">\nRegister now\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. Investigate Deeper and Connect the Attack to the Bigger Picture&nbsp;<\/h3>\n\n\n\n<p>Modern supply chain phishing rarely comes as a one-off case. Behind a single malicious link usually hides an active campaign, a whole infrastructure layer, and hundreds of related samples circulating across industries.&nbsp;<\/p>\n\n\n\n<p>The main advantage of&nbsp;ANY.RUN\u2019s ecosystem&nbsp;is that&nbsp;a single sample is&nbsp;never isolated.&nbsp;<br>It lives inside a massive dataset enriched by&nbsp;<strong>600,000+ analysts<\/strong>&nbsp;and telemetry from&nbsp;<strong>15,000+ organizations<\/strong>.&nbsp;<\/p>\n\n\n\n<p>This allows teams to&nbsp;immediately&nbsp;understand:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which domains and URLs belong to the same actor&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Whether similar attacks have been active in the past days or months&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How the infrastructure evolves&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which TTPs define the campaign&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Whether the activity ties back to known kits (like&nbsp;EvilProxy)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This transforms one incident into a&nbsp;<strong>campaign-level view;<\/strong>&nbsp;crucial for prioritization, threat hunting, and strategic response planning.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"553\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-1024x553.png\" alt=\"TI\u00a0Lookup's\u00a0associated\u00a0sandbox\u00a0sessions\" class=\"wp-image-18046\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-1024x553.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-768x415.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-1536x830.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-2048x1107.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-28-at-08.05.15-740x400.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s TI&nbsp;Lookup&nbsp;displaying&nbsp;associated&nbsp;sandbox&nbsp;sessions for deeper&nbsp;investigation<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Use these&nbsp;<\/strong><a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktoregistration#register?redirect-ref=intelligence.any.run\/analysis\/lookup\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>TI&nbsp;Lookup<\/strong><\/a><strong>&nbsp;search queries to find indicators and deeper campaign insights&nbsp;related to this phishing attack:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktotilookup#{%22query%22:%22domainName:%5C%22^loginmicrosoft%5C%22%22,%22dateRange%22:180}%20\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>domainName:&#8221;^loginmicrosoft&#8221;<\/strong><\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktotilookup#{%22query%22:%22domainName:%5C%22bctcontractors.com$%5C%22%20OR%20domainName:%5C%22himsanam.com$%5C%22%22,%22dateRange%22:180}%20\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>domainName:&#8221;bctcontractors.com$&#8221; OR\u00a0domainName:&#8221;himsanam.com$&#8221;<\/strong><\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktotilookup#{%22query%22:%22url:%5C%22\/bot\/$%5C%22%20or%20url:%5C%22\/robot\/$%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>url:&#8221;\/bot\/$&#8221; or\u00a0url:&#8221;\/robot\/$&#8221;<\/strong><\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n<p>This level of visibility supports business needs too:&nbsp;clear audit trails, stronger reporting for leadership, and transparent decision-making during incidents.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Instant access<\/span> to fresh threat data\n<br>Streamline threat hunting\u00a0with <span class=\"highlight\">TI\u00a0Lookup<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Enterprise-email-thread-phishing&#038;utm_term=280126&#038;utm_content=linktoregistration#register?redirect-ref=intelligence.any.run\/analysis\/lookup\" target=\"_blank\" rel=\"noopener\">\nGet started now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">3. Stay Ahead of the Campaign with Fresh Threat Data Inside Your Existing Platform&nbsp;<\/h3>\n\n\n\n<p>Once you link the attack to a broader operation, the next step is staying ahead of it. Thread-hijack campaigns shift domains and redirect paths constantly, so teams need threat data that updates just as fast.&nbsp;<\/p>\n\n\n\n<p>Fresh indicators&nbsp;extracted from ongoing detonation sessions&nbsp;by&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI&nbsp;Feeds<\/a>&nbsp;can flow directly into the tools your team already uses, SIEM, SOAR, email security, and detection pipelines.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"520\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-1024x520.png\" alt=\"TI\u00a0Feeds\u00a0delivering fresh IOCs\" class=\"wp-image-18047\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-1024x520.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-300x152.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-768x390.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-1536x780.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-2048x1040.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-370x188.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-270x137.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-delivering-fresh-IOCs-740x376.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI&nbsp;Feeds&nbsp;delivering fresh IOCs inside your existing platform<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This gives defenders the ability to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>See redirect and infrastructure changes early&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Strengthen correlation rules with fresh, high-confidence IOCs&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Validate threat-hunting ideas with real, recent telemetry&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This ongoing flow transforms reactive detection into&nbsp;<strong>proactive monitoring<\/strong>, allowing teams to reduce the window between attack launch and discovery.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">99%<\/span> unique threat intel for your SOC\n<br>Catch attacks early to <span class=\"highlight\">protect your business<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Enterprise-email-thread-phishing&#038;utm_term=280126&#038;utm_content=linktotifeedslanding#contact-sales\" target=\"_blank\" rel=\"noopener\">\nIntegrate TI Feeds\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Enterprise-email-thread-phishing&amp;utm_term=280126&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;is&nbsp;a part of modern SOC workflows, easily integrating into existing processes and strengthening the entire operational cycle across Tier 1, Tier 2, and Tier 3.&nbsp;<br>It supports every stage of analysis; from exposing real behavior during detonation to enriching investigations with broader threat context and delivering continuous intelligence that helps teams move faster and make confident decisions.&nbsp;<\/p>\n\n\n\n<p>Today, more than 600,000 specialists and 15,000 organizations rely on ANY.RUN to accelerate triage, reduce unnecessary escalations, and stay ahead of evolving phishing and malware campaigns.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Think you can trust every email that comes from a business partner?&nbsp; Unfortunately,&nbsp;that\u2019s&nbsp;no longer guaranteed; attackers now slip into legitimate threads and send messages that&nbsp;look fully authentic.&nbsp;&nbsp; That\u2019s&nbsp;exactly what happened in a new case uncovered by&nbsp;ANY.RUN researchers; a trust takeover inside&nbsp;a real executive&nbsp;discussion about a document awaiting final approval.&nbsp;&nbsp; By detonating the suspicious message,&nbsp;the&nbsp;investigation&nbsp;exposed the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":18078,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[10,34,40],"class_list":["post-18033","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Thread-Hijack Supply Chain Phishing: ANY.RUN Analysis of EvilProxy Campaign<\/title>\n<meta name=\"description\" content=\"Attackers hijack a supplier mailbox to phish C-suite via EvilProxy. See the attack chain and how SOC teams can detect similar cases faster.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Attackers\u00a0Are Taking\u00a0Over\u00a0Real\u00a0Email Threads\u00a0to Deliver\u00a0Phishing: New Enterprise Risk\",\"datePublished\":\"2026-01-28T12:07:27+00:00\",\"dateModified\":\"2026-01-28T12:24:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/\"},\"wordCount\":1959,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/\",\"name\":\"Thread-Hijack Supply Chain Phishing: ANY.RUN Analysis of EvilProxy Campaign\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-01-28T12:07:27+00:00\",\"dateModified\":\"2026-01-28T12:24:13+00:00\",\"description\":\"Attackers hijack a supplier mailbox to phish C-suite via EvilProxy. See the attack chain and how SOC teams can detect similar cases faster.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Attackers\u00a0Are Taking\u00a0Over\u00a0Real\u00a0Email Threads\u00a0to Deliver\u00a0Phishing: New Enterprise Risk\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Thread-Hijack Supply Chain Phishing: ANY.RUN Analysis of EvilProxy Campaign","description":"Attackers hijack a supplier mailbox to phish C-suite via EvilProxy. See the attack chain and how SOC teams can detect similar cases faster.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Attackers\u00a0Are Taking\u00a0Over\u00a0Real\u00a0Email Threads\u00a0to Deliver\u00a0Phishing: New Enterprise Risk","datePublished":"2026-01-28T12:07:27+00:00","dateModified":"2026-01-28T12:24:13+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/"},"wordCount":1959,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["cybersecurity","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/","url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/","name":"Thread-Hijack Supply Chain Phishing: ANY.RUN Analysis of EvilProxy Campaign","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-01-28T12:07:27+00:00","dateModified":"2026-01-28T12:24:13+00:00","description":"Attackers hijack a supplier mailbox to phish C-suite via EvilProxy. See the attack chain and how SOC teams can detect similar cases faster.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Attackers\u00a0Are Taking\u00a0Over\u00a0Real\u00a0Email Threads\u00a0to Deliver\u00a0Phishing: New Enterprise Risk"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18033"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=18033"}],"version-history":[{"count":30,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18033\/revisions"}],"predecessor-version":[{"id":18093,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18033\/revisions\/18093"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/18078"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=18033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=18033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=18033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}