A fake invoice lands in an employee's inbox. There are no malicious links, no suspicious attachments, and no obvious technical indicators of compromise. Just a phone number to call about an unexpected charge. The employee dials, speaks with a polished operator, and follows instructions that hand an attacker persistent access to the corporate network.

This is a TOAD attack. It has become a serious enterprise threat because it shifts manipulation from the inbox to the phone.

• TOAD attacks use clean emails as lures: The email contains no malicious links or attachments, only a phone number, which means traditional email gateways often have little to scan or flag.

• The victim initiates the call: Unlike standard vishing, the target dials the attacker's number believing it is a legitimate business, which shifts the psychological dynamic and can lower the victim's defenses.

• AI is scaling both sides of the attack: Voice cloning, LLM-generated lure text, and underground call center services are making TOAD campaigns easier to produce, personalize, and harder for employees to recognize.

• Layered defense across channels is essential: Effective TOAD mitigation combines email-layer behavioral detection, endpoint monitoring for unauthorized remote access tools, SIEM correlation, and operational callback verification policies.

Telephone-oriented attack delivery (TOAD) is a social engineering attack class that uses a phone call as the primary manipulation channel, with initial contact delivered via email, SMS, or messaging platform.

The defining structural feature separates TOAD from traditional vishing. In a standard vishing attack, the attacker initiates the call and the victim may be on guard. In a TOAD attack, the victim initiates the call in response to a lure, believing they are contacting a legitimate business. This design changes the psychological dynamic and can make defensive identification more difficult.

TOAD and BEC basics share a similar detection problem where both can use emails with no malicious payload. In many BEC cases, the attack remains in the email channel. In TOAD, the attacker moves the interaction to the telephone, which complicates detection and verification workflows.

TOAD attacks follow a multi-phase sequence designed to reduce detection opportunities and exploit human trust during the phone interaction.

TOAD campaigns begin by making the lure look routine enough to earn a callback.

Attackers begin with targeted reconnaissance, gathering information from breach data to personalize lures with genuine organizational context.

The email lure itself is deliberately constructed to be technically clean. It contains financial transaction language, urgency signals such as a same-day charge, and a phone number as the sole actionable element.

Attackers also use legitimate platforms to send lures that carry valid authentication records. PDF lures have emerged as a common format, containing no executable content and instead presenting only a phone number with urgent brand impersonation language designed to persuade victims to call adversary-controlled numbers.

The phone call is where the attacker turns a clean lure into access, theft, or extortion.

When the victim calls, they may reach a scripted call center operation with hold music, spoofed caller IDs, and operators impersonating customer service, IT helpdesk, or bank support staff. The urgency established in the email carries into the call, and the operator guides the victim toward a specific action on their workstation.

Post-call outcomes vary by threat actor. Common paths include:

• Installation of legitimate remote monitoring and management tools which can establish persistent access.

• Redirection to spoofed login pages for credential theft.

• Guidance to download malware like BazaLoader.

• Manual data exfiltration during a screen-share session.

Once access is established, exfiltration can occur during the call or later. The FBI advisory documented that Silent Ransom Group (a cyber threat actor) follows data theft with ransom emails and follow-up calls pressuring negotiations, using exfiltration and extortion without encrypting victim data.

TOAD attacks often evade email gateways because the lure offers little technical evidence, while the harmful interaction happens on the phone.

Email gateways often struggle with TOAD lures because the usual detection artifacts may be missing.

SEG architecture is built to scan for malicious URLs, detonate suspicious attachments, match known malware signatures, and cross-reference indicators of compromise. When those elements are absent, the scanning pipeline may produce little useful signal.

Phone numbers are not treated like URLs, malware hashes, or common network indicators. Even if a specific phone number were identified and shared through threat intelligence, attackers can rotate to a new VoIP number quickly. Legitimate invoices and vendor communications also commonly include phone numbers and financial language, which makes simple blocking rules difficult to tune without creating false positives.

When attackers expect body-text scanning, they may move callback numbers into images or PDF attachments where they remain easy for a person to read but harder for automated analysis to interpret.

Once the victim places the call, the core social engineering activity moves beyond what email security tools are designed to observe.

After the victim dials out, the operational part of the attack takes place in a voice interaction. The email served as the lure, and the operator drives the outcome through conversation and guided actions on the victim's device.

Authentication controls can also provide limited help in these scenarios. When TOAD emails are sent through legitimate services, they can pass SPF, DKIM, and DMARC validation. Attackers also increasingly use compromised accounts with established sender reputations, which weakens reputation-based detection.

AI is making TOAD attacks easier to produce, personalize, and scale across both email and voice stages.

Voice cloning now requires only a short sample of audio from publicly available sources to replicate a target's voice with enough fidelity for real-time calls. On the email side, LLMs address many of the failure points that once made phishing easier to spot, including grammatical errors, formatting anomalies, tonal inconsistencies, and generic pretexting.

Underground tools also lower the barrier for would-be attackers. Call services support TOAD operations, offering voice-changing software, VoIP services, and caller ID spoofing tools. This combination of AI-assisted writing, voice manipulation, and outsourced call infrastructure can make TOAD campaigns easier to launch and harder for employees to recognize.

Real-world TOAD campaigns show a progression from malware delivery toward lower-friction extortion and direct operator-led access.

Early callback phishing campaigns proved the model, and newer ones showed that attackers could often skip malware altogether.

BazarCall, active from early 2021, established that a live call center could function as a malware delivery mechanism and could operate at scale. Victims received fake subscription emails, called to cancel, and were guided to download files containing BazaLoader, which ultimately led to Cobalt Strike deployment and Ryuk ransomware.

Luna Moth, also tracked as Silent Ransom Group, CHATTY SPIDER, and Storm-0252, represents a major evolution. This group removed malware from the attack chain, using legitimate RMM tools to interact directly with victim computers and manually exfiltrate data.

The group initially targeted small and mid-size legal firms, then larger targets across retail, healthcare, financial services, and insurance. The FBI confirmed that Silent Ransom Group operatives had evolved to call individuals directly while posing as internal IT staff, in some cases removing the need for the original email lure.

Effective TOAD defense requires coordinated controls across email, endpoints, identity, and operational processes.

TOAD email detection improves when teams look beyond payload artifacts and focus on message patterns that suggest a callback lure.

Because TOAD emails may carry no malicious artifacts, detection should expand from payload analysis to include behavioral and linguistic analysis. Useful signals include financial urgency language combined with a phone number as the sole call to action, mismatches between sender domain and claimed brand identity, and the absence of a URL.

Security teams should also evaluate whether their email platform performs phone number scanning in message bodies and scanning of images and PDF attachments, since those capabilities may not be enabled by default.

Cross-channel correlation can help connect a suspicious email lure to the endpoint or identity activity that follows the callback.

The central detection gap is that the malicious action occurs on a different channel than the lure. Closing this gap can require SIEM correlation rules that link suspicious email receipt to post-call endpoint anomalies, such as receipt of an email containing a phone number as the primary call to action followed by software installation, remote access grants, or credential submission to an unfamiliar domain.

This correlation logic generally needs to be built and tested deliberately rather than assumed to exist by default across separate tools.

Operational controls can interrupt TOAD campaigns when a live caller asks for access, credentials, or software changes.

Organizations can maintain an approved list of RMM tools, block unapproved installations through application allowlisting, and establish policy that IT helpdesk initiates remote sessions through corporate-managed tooling only. Any unapproved RMM installation should trigger an immediate endpoint alert.

A formal callback verification policy can also reduce risk. No sensitive action, including credential resets, wire fraud, remote access grants, or software installations, should be authorized solely on the basis of an inbound phone call. Such requests should be verified through an independent channel using contact information from official internal directories.

Policy should also establish that caller ID is not a reliable authentication mechanism, as VoIP spoofing is widely available.

Training and identity controls help reduce the chance that a convincing callback lure turns into account compromise.

Training programs heavily focused on email phishing can leave employees with the impression that attackers only use email. TOAD-specific training should cover several points:

• Emails with no links or attachments can still be attack vehicles.

• Financial urgency claims received by email should be verified using a number from an official company source.

• Urgency combined with fear is a manipulation tactic.

Callback simulation exercises, where employees receive a simulated urgent invoice and security teams monitor whether they call, can provide baseline data.

Credential theft is a primary TOAD outcome. Deploying MFA controls using FIDO2 keys reduces the value of stolen credentials. Conditional access policies assessing device trust, location, and login behavior can further limit blast radius. Least-privilege access principles and network segmentation can also constrain lateral movement when TOAD successfully harvests valid credentials.

TOAD defense is strongest when organizations treat the inbox as one control point in a broader cross-channel security strategy.

TOAD attacks exploit the gap between email security and voice communication, and between technical controls and human judgment. Organizations can improve resilience with:

• Behavioral detection at the email layer to catch lures that carry little technical evidence.

• Endpoint monitoring to flag unauthorized RMM installations.

• SIEM correlation to connect email events to post-call actions.

• Organizational policies that interrupt the social engineering chain before credentials or access are surrendered.

Email remains a primary control point. Platforms like Abnormal, recognized as a Leader in the Gartner® Magic Quadrant™, are designed to help detect TOAD email lures by analyzing behavioral signals rather than relying only on artifacts these attacks often omit.