RE: Christopher: How a Thread Hijack Rode Salesforce Marketing Cloud Into the Inbox

**Executive Summary:** This report details a high-severity phishing thread‑hijack that abused Salesforce Marketing Cloud and Pardot infrastructure to send a convincing "RE:Christopher" reply from the domain stackpilotit.com (registered 2025-06-13), passing SPF/DKIM/DMARC and using platform bounce/unsubscribe links to appear legitimate; Microsoft marked it SCL 5 while Themis quarantined it before user interaction. The write-up includes MITRE ATT&CK mappings and discrete IOCs for defenders to block or monitor.