Why ‘Call This Number’ TOAD Emails Beat Gateways
Summary
Punchy take: Attackers are using a neat, low-cost trick — telephone‑oriented attack delivery (TOAD) — where the email contains only a phone number and a plausible business reason to call. Those messages routinely sail past secure email gateways because the payload is indistinguishable from legitimate contact details.
Key Points
- StrongestLayer analysed ~5,000 detections that bypassed secure email gateways between Dec 2025 and Feb 2026.
- TOAD (telephone‑orientated attack delivery) made up nearly 28% of gateway‑bypassing detections in that dataset.
- TOAD emails typically mimic billing or vendor notifications with a phone number as the only action — no malicious link or attachment.
- Attackers chain multiple evasion techniques (average >4 per detection); researchers found 1,400+ unique evasion combinations — a 130% increase.
- Platform differences: QR codes and certain payloads fared better against Microsoft mail without E3/E5 protections; Google Workspace was more susceptible to spoofed trusted‑source notifications.
- Defence advice: use improved detection models (reasoning/behavioural models), raise service tier where needed, and train staff to never authorise payments or sensitive actions via an unsolicited phone call or QR scan.
Content Summary
Researchers at StrongestLayer highlight that TOAD is effective because conventional email security expects malicious content to be a link, attachment, or executable. A phone number as the only payload looks like normal business correspondence and therefore evades rules that would otherwise block financial language or contact details.
Attackers combine TOAD with other tactics — sending messages via trusted services (Google Calendar, SharePoint), embedding QR codes that lead to off‑gateway channels, and designing multi‑stage social engineering that finishes over the phone or SMS. Those layered approaches defeat different detection capabilities at each step, increasing campaign success.
Alan Lefort of StrongestLayer recommends defenders map their detection coverage to the attack family taxonomy in the report, consider upgrading protection tiers if on basic plans, and enforce clear employee rules: finance will not accept phone‑authorised payments, do not call or scan unless independently verified, and verify suspicious requests through known contacts.
Why should I read this?
Look — this isn’t your usual dodgy link. These TOAD messages are tiny, cheap and sneak past gateways because they look normal. If you manage email defences or train staff, reading this will save you time and (probably) a painful incident later. It’s short, practical and directly relevant to stopping a rising phishing trick that plays outside the usual detection box.