UrsaClimb Logo

Why 'Call This Number' TOAD Emails Beat Gateways

Dark Reading
by Alexander Culafi
February 25, 2026
AI-Generated Deep Dive Summary
In recent years, a growing threat known as Telephone-Oriented Attack Delivery (TOAD) has emerged, allowing attackers to bypass email gateways by using phone numbers as the sole payload in phishing emails. These attacks are particularly effective because they exploit the simplicity of a phone number, which is indistinguishable from legitimate business communication and often slips through traditional email security measures. According to research by StrongestLayer, TOAD accounted for nearly 28% of all gateway-bypassing detections in their analysis of over 5,000 threat incidents between December 2025 and the present. TOAD attacks typically involve sending emails that mimic legitimate billing notifications from trusted brands like PayPal or financial institutions. These emails include a phone number as the only means to address a supposed issue, such as a fraudulent charge. When recipients call the number, scammers then attempt to extract sensitive information, gain remote access to devices, or persuade victims to make purchases using gift cards. The lack of malicious attachments or traditional payloads makes these attacks difficult to detect for email gateways designed to identify and block known threats like malicious links or files. The effectiveness of TOAD lies in its simplicity and ability to combine multiple evasion techniques. Attackers often use a multilayered approach, such as leveraging Google Calendar or SharePoint to bypass reputation-based filtering, employing QR codes that don’t trigger traditional threat detection, or redirecting targets to phone calls or SMS messages outside the email gateway’s monitoring scope. This combination of tactics makes it challenging for email security systems to identify and block these threats. The study highlights the significant variations in how different platforms handle TOAD attacks. For example, QR codes were more successful at breaching Microsoft email environments without advanced protections, while Google Workspace faced greater challenges with spoofed notifications impersonating trusted sources. Despite these
Verticals
securitytech
Originally published on Dark Reading on 2/25/2026