Telephone-oriented attack delivery (TOAD) remains an especially effective way to get past email security controls.

Instead of embedding malicious links or attachments, attackers send benign-looking emails with nothing more than a phone number. When the target calls, an operator talks them through installing remote access software or handing over credentials.

Because the email itself carries few traditional technical indicators of compromise, legacy defenses struggle to catch it. Running these operations at scale has typically meant stitching together separate infrastructure for telephony, phishing panels, and email delivery, which limits who can pull it off.

A platform called ATHR changes that. Sold on cybercrime networks for $4,000 plus 10% of profits, it consolidates the entire TOAD kill chain into a single product. In this blog post, we explore how each component maps to a stage in the attack flow.

A typical TOAD attack follows a predictable sequence: deliver a lure, receive a callback, socially engineer the target, and harvest credentials or install remote access. ATHR handles every stage after the lure lands.

However, ATHR goes beyond the callback; it also shapes the lure itself. The platform ships with a built-in mailer and brand-specific email templates designed to pass casual inspection and, in many cases, technical authentication checks. The lure is typically a fake security alert or account notification—something urgent enough to prompt a phone call but generic enough to avoid triggering content-based filters.

When a target calls the number embedded in a phishing email, ATHR's telephony layer routes the call to either a human operator or an AI agent. The system runs on Asterisk with WebRTC browser-based calling, meaning operators handle everything through the browser, with no additional software or dedicated hardware required. Because it runs on the same underlying technology used by legitimate call centers, the experience on the target's end is designed to feel familiar and professional.

The live dashboard shows the operation in real time. At the time of capture, it displayed 243 total interactions, 12 active sessions, and 87% campaign utilization.

ATHR's most problematic capability is its AI vishing agent system. Each agent follows a structured, multi-step script that walks the target through a fabricated security scenario: verifying the callback, describing suspicious account activity, confirming an unrecognized phone number, initiating a fake recovery process, and ultimately extracting a six-digit verification code. The full script visible in the platform contains 10 sections, seven of which are shown in the screenshot below.

This is what separates ATHR from earlier callback infrastructure. Previous platforms required trained human callers. ATHR automates the entire interaction, allowing a single operator to run campaigns across multiple brands simultaneously without scaling headcount.

While the voice interaction is underway, ATHR's phishing panels capture credentials in real time. The platform ships with pre-built credential harvesting panels for eight brands: Coinbase, Binance, Gemini, Crypto.com, Google, Microsoft, Yahoo, and AOL.

Operators see each target as a live session tagged by brand, the page they are on, their IP address, and last activity. They can redirect targets to specific panel pages mid-call, synchronizing the phishing flow with the conversation.

Drilling into a session shows captured form submissions with timestamps. Email addresses and passwords are logged within seconds of each other.

ATHR also addresses the upstream side of the kill chain. The tools section includes a notification from address (NFA) mailer—a tool that spoofs the "from" field, making emails appear to originate from trusted platform notifications. It ships with pre-configured sender profiles for Coinbase Support, Gemini Support, Binance Support, and a custom sender option.

Each pre-configured profile pairs a display name with a from-address that mirrors what the target would expect from a legitimate notification (e.g., "Coinbase Support <support@coinbase[.]com>"). For targets who don't inspect headers closely, the email appears to come directly from the brand. The custom sender option extends this further, letting operators build new profiles for brands not included in the default set. This means the platform's phishing lure capabilities are not limited to the eight brands supported by the credential harvesting panels—an operator could craft a convincing lure email for virtually any organization.

The template system adds another layer of specificity. The visible template is a Google account lockout email with 10 configurable fields. The preview renders a Google-branded "Security Alert: Account Temporarily Locked" notification that mimics a legitimate email almost perfectly.

Those fields—including lock time, unlock time, failed attempts, last attempt location, IP address, and recovery email—let the operator tailor each message to a specific target, making the lure appear contextually relevant. A recipient who sees their approximate location, a recent timestamp, and a plausible IP address is far more likely to believe the alert is real and call the number provided. Additionally, it makes each lure harder to detect through pattern-matching alone.

For human-operated calls, the agent workspace provides a three-column layout: call controls on the left, a central workspace with tabs for call notes, AI assistant, panel control, quick actions, and integrated mailers, and a call queue on the right.

An operator can send a lure email, receive the callback, control the target's phishing panel, and manage the voice call without switching tools. Since the voice system runs on Asterisk WebRTC, everything operates through the browser.

Beyond operational efficiency, that consolidated workspace has implications for email security. The integration of email delivery into the same interface as call handling and panel control creates a feedback loop. An operator who sees a low callback rate can adjust the lure template, change the sender profile, or refine the personalization fields, and then immediately observe whether the next batch of emails generates more calls.

This iterative capability means that the email content is not static; it evolves within a campaign based on real-time results, making it harder to build static detection rules around any single template or sender pattern.

Every call is logged with full metadata, including timing, campaign ID, and agent assignment, with tabs for transcript, timeline, and recording. The settings panel reveals a custom-branded text-to-speech engine (ATHR TTS, model: Sonic 3) powering the AI agents.

Previous TOAD operations not only involved significant manual effort but also required threat actors to stitch together separate tools for each stage of the attack: one system to send lure emails, another to handle calls, and a separate phishing panel to harvest credentials. Each component had to be sourced, configured, and managed independently, which limited TOAD attacks to operators with the technical skill and infrastructure to coordinate them.

ATHR consolidates all of that into a single platform. The built-in NFA mailer generates brand-accurate lure emails with per-target customization. The telephony layer routes callbacks to AI agents that follow scripted social engineering flows without human involvement. The credential harvesting panels capture data in real time, synchronized with the voice interaction. And the unified operator workspace ties everything together, allowing a single person to manage the full attack chain from a browser.

The shift from a fragmented, manually intensive operation to a productized, largely automated one means TOAD attacks no longer require large teams or specialized infrastructure. As platforms like ATHR emerge on cybercrime networks, these attacks are likely to become more frequent and more difficult to distinguish from legitimate communications.

TOAD attacks present a fundamentally different detection challenge than link-based or attachment-based phishing. The lure email contains a phone number, not a malicious URL. There are no payloads to detonate and no suspicious domains to blocklist. And because these lures often pass SPF, DKIM, and DMARC—particularly when attackers abuse legitimate platform notifications for delivery—most traditional email security controls have little reliable signal to work with.

ATHR's built-in mailer compounds this problem. The platform doesn't just make it easy to send lure emails; it makes it easy to send lure emails that are structurally indistinguishable from real ones. The pre-configured sender profiles, brand-accurate templates, and per-target field customization mean that the resulting messages authenticate correctly, carry no known-bad indicators, and look like the real account notifications the target regularly receives. For a secure email gateway evaluating the message on technical signals alone, there is little to flag.

Detecting these campaigns requires looking beyond email content to the behavioral patterns underneath: how a sender typically communicates with a given recipient, whether the brand–recipient pairing is unusual, and whether similar phone-number lures are arriving across the organization in a short window.

By modeling normal communication behavior across an organization, behavioral AI-powered detection can flag anomalies before a target even places a call.

For additional insight into the attack landscape and analyses of other dark web tools, visit Abnormal Intelligence, our threat intelligence data and research hub.