TOAD Emails: The 'Call This Number' Gateway Bypass Threat

Understanding Telephone-Oriented Attack Delivery (TOAD)

Cybersecurity threats continually evolve to circumvent established defenses. A notable tactic gaining traction is Telephone-Oriented Attack Delivery (TOAD), specifically leveraging “call this number” emails to bypass sophisticated email security gateways. This method, identified by Dark Reading, presents a significant challenge because it circumvents automated detection mechanisms by delivering a seemingly innocuous payload: a phone number.

TOAD emails represent a shift from traditional phishing attacks that rely on malicious links or attachments. Instead, the primary objective of these emails is to induce the recipient to make a phone call, thereby initiating a direct, live interaction with an attacker. This strategy exploits the limitations of email gateway technologies, which are typically designed to scan for known malicious URLs, file hashes, and specific content patterns indicative of phishing or malware distribution. A simple phone number, devoid of executable code or direct web links, often evades these automated filters.

Technical Analysis and Attack Methodology

The efficacy of TOAD lies in its simplicity and reliance on human psychology. The emails themselves are often minimalistic, containing a message urging the recipient to call a specific number for an urgent matter. Common pretexts include:

• Fake support alerts: Impersonating tech support from a well-known company (e.g., Microsoft, Apple) regarding a security breach or software issue.
• Bogus financial notifications: Alerts about unusual activity on a bank account, an overdue payment, or a failed transaction.
• Fraudulent delivery notices: Messages about an unfulfilled package delivery requiring immediate action.
• Subscription renewal scams: Warnings about an expiring service with an urgent need to renew by calling a number.

Once a target calls the provided number, they are connected directly to an attacker. This live interaction allows the attacker to employ sophisticated social engineering techniques, adapting their script based on the victim’s responses and emotional state. Unlike a static phishing page, a live conversation enables dynamic manipulation, often leading to:

• Credential harvesting: Convincing the victim to divulge login credentials over the phone or by directing them to a legitimate-looking but attacker-controlled login page while on the call.
• Installation of remote access software: Guiding victims to install legitimate remote desktop applications (e.g., AnyDesk, TeamViewer) under the guise of troubleshooting, thereby gaining full control over their systems.
• Financial fraud: Persuading victims to make wire transfers, purchase gift cards, or provide credit card details.

The minimal content of TOAD emails makes them particularly difficult for email gateways to flag. The absence of traditional malicious indicators means that reputation-based filtering, URL scanning, and attachment analysis are largely ineffective. Content analysis, while potentially configurable to detect phone numbers, would likely generate numerous false positives if not finely tuned, making it challenging for security teams to implement broadly without significant operational overhead.

Actionable Recommendations and Mitigations

Defending against TOAD attacks requires a multi-layered approach that combines technological controls with robust security awareness training.

Enhance Email Gateway Configuration

• Advanced Content Analysis: Review gateway configurations for rules that can identify specific patterns of phone numbers, especially in conjunction with urgent or alarming keywords. Consider implementing rules that flag emails containing only a phone number and minimal text from unknown senders.
• Sender Authentication: Ensure DMARC, SPF, and DKIM are fully implemented and monitored to prevent sender spoofing, though this primarily addresses identity rather than content.

Prioritize User Education

• Social Engineering Awareness: Conduct regular training sessions specifically highlighting TOAD attacks, tech support scams, and the dangers of calling unsolicited numbers from suspicious emails. Emphasize that legitimate organizations rarely request immediate action via an unsolicited phone call.
• Verify Communications: Educate users to verify the authenticity of urgent requests by contacting organizations through official, known channels (e.g., official website phone numbers, customer support portals), never by calling numbers provided in a suspicious email.
• Report Suspicious Activity: Establish clear internal procedures for reporting suspicious emails and phone calls, ensuring these reports are swiftly investigated.

Implement Organizational Policies

• Clear Communication Protocols: Publish internal guidelines on how IT support, finance, and other departments communicate with employees regarding urgent matters. For instance, clearly state that IT will never request remote access via an unsolicited phone call initiated by an employee from an email.
• Restrict Software Installation: Implement policies and technical controls to prevent unauthorized software installations, particularly remote access tools, without administrative approval.