What's new
By:
Filters
Runion

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Email Thread Hijacking

L

Lipshitz

Midle Weight
Депозит
$0
I am interested in ways to hijack a pre-existing email thread and add my attachment to a trusted conversation. I see many examples of people using this technique in the wild but can't find information on the forums (at least in English). If anybody can help with some reading material, in any language, I would appreciate very much.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
magic is to send an email to your victim from exactly the same email as the receiver has, but with a typo. The typo must be earlier in the alphabet than an original letter. If the receiver has the email "mark@supercargo.com" you will send an email from "mark@superacrgo.com".
This makes most of the email clients put your fake email first in a list when the victim will type it in the "To" field.
That's all)
 
Aels сказал(а):
magic is to send an email to your victim from exactly the same email as the receiver has, but with a typo. The typo must be earlier in the alphabet than an original letter. If the receiver has the email "mark@supercargo.com" you will send an email from "mark@superacrgo.com".
This makes most of the email clients put your fake email first in a list when the victim will type it in the "To" field.
That's all)
Click to expand...

Nice trick!
Thank you!
 
Nice trick above!

I actually use thread hijacking a lot , but I first get access to the victim email with phishing, then start learning about how they communicate and what documents they exchange to see which will be more effective to deploy the first stage payload.

Have been using OneNote attached file recently or HTML Smuggling, with success. Sometimes I don't attach any file, but just send a link in the hijacked thread leading to further compromise.

Assuming you are targeting corp network and want to deploy payload,etc.

Best way to learn this and other techniques is 'reverse engineering' from others. You can read a lot of reports/research papers from cybersecurity companies about campaigns and implement something similar yourself. I recommend to read mostly about APT's.
Последнее редактирование: 30.03.2023
 
Lipshitz сказал(а):
I should clarify. I see some guys that spam en mass from compromised boxes by hijacking a pre-existing conversation.
Here is an article explaining more: https://www.hornetsecurity.com/en/security-information/email-conversation-thread-hijacking/
I think they are using a script or maybe certain botnets have this option, but it's super cool and I want to learn.
Click to expand...

From the article : "An email thread hijacking attack begins when a first victim is compromised. Next, their emails and often email login credentials are stolen. The attackers will then reply to the victim’s emails with their malicious messages."

Like Emotet, mostly in the past with Office Macros, you infect the first machine,deploy the main payload etc and search for email list in the outlook for example.
From there you reply to email threads in the victim logged email with a default subject and the malicious office attachment.

Same logic applies with any payload or phishing : First machine > search for future targets > hijacked threads(trusted sender, higher rate of clicking) > send > repeat.

Edited : Basically everything I said was already in the article,which now I see :

"The module steals emails and login credentials from victims and sends them to Emotet’s C2 servers, which distribute them to the systems of other victims infected with Emotet’s spam module, where they are used in attacks against new victims."

The article you posted already has the answer.
Последнее редактирование: 01.04.2023
 
You must log in or register to reply here.
Top