While much of the conversation surrounding phishing concerns not clicking a suspicious link or downloading a malicious attachment, there’s an attack technique gaining prominence in which the email payload consists of nothing but a phone number. And these emails are getting past defenses.
Researchers from email security vendor StrongestLayer today published an analysis of roughly 5,000 email-based threat detections that bypassed secure email gateways across multiple enterprise environments between December 2025 and now.
Many of the attack tactics identified were typical phishing and social engineering fare — PDF attachments, a QR code to deliver a payload, requests to pivot to a phone call, URL multi-hop redirects, and so on — with varying success rates against Microsoft- and Google-hosted email platforms.
But much of the vendor’s focus for this latest research was on telephone-oriented attack delivery (TOAD), which accounted for nearly 28% of all gateway-bypassing detections in the research.
TOAD: Simplicity’s the Point
It’s a deceptively simple attack in which the target receives a fake billing notification impersonating an entity like PayPal, claiming a charge has been processed while including a phone number as the only way to address the charge. There’s no malicious attachment. Once the target calls, a scammer attempts to coax the victim into offering up credentials, allowing remote access into a device, or buying suspicious gift cards for equally shady transactions.
“TOAD bypasses every email security architecture because the payload — a phone number — is indistinguishable from a legitimate business contact,” researchers said. “A rule blocking financial language combined with a phone number would fire on every billing notification in the enterprise. This is a category of attack that operates outside the detection model email security was designed for. And it is the single largest category in this dataset.”
This is doubly tricky because the average detection used more than four attack techniques simultaneously. There were also over 1,400 unique evasion combinations tracked, marking a 130% increase over the previous study period.
Between platforms, gateway blocking rates varied. QR codes broke into Microsoft email environments without E3/E5 protections more often than in Google environments, while Google Workspace fared worse on average when it came to notifications that spoofed legitimate, trusted sources. TOAD, StrongestLayer said, worked well against both Google- and Microsoft-hosted email.
This plays into the high prevalence of evasion tactic combinations, as it benefits attackers to tailor campaigns based on which platform an employee is using. Researchers said the most sophisticated attacks use a multilayered approach; each layer defeats a different detection capability.
The attacker may send the email through Google Calendar or SharePoint to bypass reputation-based filtering, use a QR code-based payload that doesn’t manifest as a traditional malicious binary, and/or beckon the target to use a phone call or SMS to move across channels, where the gateway cannot monitor it.
To Catch a TOAD
Alan Lefort, CEO and co-founder of StrongestLayer, tells Dark Reading that TOAD attacks get even trickier when one considers a law firm with 5,000 seats that is more or less a “Docusign factory,” the most common brand threat actors impersonated.
TOAD attacks have few markers that separate them from authentic emails, and a law firm can’t risk blocking legitimate Docusign emails, so the conventional email rules a business might rely on would likely prove ineffective.
That comes in addition to the cost collapse on the threat actor’s part for scaling phishing campaigns. Lefort said an APT-level targeted reconnaissance and phishing email might have cost $15 to $20 five years ago, yet in the era of ChatGPT now costs only a few cents at most.
A third of the attacks seen in the report were “structurally invisible,” he explains, which is why Lefort advocates for reasoning models that can pick up on the small signatures and trends left by TOAD emails (StrongestLayer is part of the AI-powered email protection market alongside other vendors like Abnormal AI).
For defenders, Lefort recommends looking at detection coverage against the attack family taxonomy detailed in the report. An organization on a more basic service plan may want to consider another tier that includes stronger detections for that organization’s needs.
On the employee training side, he points to the consistent patterns of abuse in bad sender ecosystems. An organization can make a dent against phishing campaigns by communicating to employees that they will never ask to call a phone number to handle an invoice, that payments over the phone will not be authorized unless through finance, and not to scan QR codes in PDFs. Additionally, the org can provide guidance on how to verify a request before responding to a potentially malicious email.
