On the last day of May, one of my inboxes began receiving emails, purportedly from one of the owners of the yoga studio I visit. It concerned a message I sent in January through the studio's website that had been resolved the following day in an email sent by the co-owner. Now, here she was, four months later, emailing me again.
"Listed below the documents we chatted regarding last week," the email author wrote. "Contact me if you've got any queries about the attached files." There was a password-protected zip file attached. Below the body of the message was the response the co-owner sent me in January. These emails started coming once or twice daily for the next couple of weeks, each from a different address. The files and passwords were often changed, but the basic format, including the January email thread, remained consistent.
With the help of researchers at security firm Proofpoint, I now know that the emails are the work of a crime group they call TA578. TA578 is what's known in the security industry as an initial access broker. That means it compromises end-user devices en masse in an opportunistic fashion, spamming as many addresses as possible with malicious files. The gang then sells access to the machines it compromises to other threat actors for use in ransomware, cryptojacking, and other types of campaigns.
What’s thread hijacking?
Somehow, group members got ahold of the message I sent to my yoga studio. The simplest explanation would be the studio owner's computer or email account was compromised, but there are other possibilities. With possession of my email address and the authentic email the owner had sent me in January, TA578 now had the raw materials to ply its trade.
"Messages in this campaign appear to be replies to previous, benign email threads," Proofpoint wrote in an email responding to questions. "This technique is referred to as thread hijacking. Threat actors use this technique to make the recipient believe they are interacting with a person they trust so they are less likely to be suspicious about downloading or opening attachments they might be sent as part of the conversation. Threat actors commonly steal these benign messages through prior malware infections or account compromises."