Full Report
Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.
Analysis Summary
# Tool/Technique: Telephone-Oriented Attack Delivery (TOAD)
## Overview
TOAD is a social engineering technique where threat actors include phone numbers in scam emails to shift the communication channel from a digital medium to a real-time voice conversation. The goal is to manipulate victims into disclosing sensitive information, authorizing fraudulent transactions, or installing malicious software under the guise of customer support or billing departments.
## Technical Details
- **Type**: Technique / Social Engineering Procedure
- **Platform**: Cross-platform (Email, VoIP, PSTN)
- **Capabilities**: API-driven number provisioning, high-volume automated scam operations, brand impersonation, and reputation filter evasion.
- **First Seen**: Research period noted between February 26 and March 31, 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566 - Phishing]**
- **[T1566.004 - Phishing: Voice Phishing (Vishing)]**
- **[TA0007 - Discovery]**
- **[T1204.001 - User Execution: Malicious Link/Attachment]** (Often used in conjunction with TOAD lures)
- **[TA0011 - Command and Control]**
- **[T1205 - Communication Collaboration Support]** (Use of VoIP/UCaaS for malicious intent)
## Functionality
### Core Capabilities
- **VoIP Exploitation**: Utilizing CPaaS (Communications Platform as a Service) providers to rapidly provision numbers via APIs for cost-effective, high-volume operations.
- **Sequential Scaling**: Attackers purchase and rotate through sequential blocks of phone numbers to maintain operational continuity.
- **Cross-Brand Impersonation**: Recycling the same anchor phone numbers across disparate lures (e.g., impersonating multiple brands like Norton, PayPal, or Geek Squad simultaneously).
### Advanced Features
- **Cool-down Periods**: Strategic dormancy of phone numbers to evade reputation-based security filters.
- **Infrastructure Hibernation**: Maintaining a median phone number lifespan of 14 days to maximize utility before the number is flagged and discarded.
- **Heuristic Evasion**: Using diverse attachment formats (HEIC, PDF, JPG) and varied subject lines to bypass traditional keyword-based email scanners.
## Indicators of Compromise
- **Phone Numbers (Examples of abused ranges/providers)**:
- High-traffic numbers often originate from providers such as **Sinch** (most common), **Twilio**, **Bandwidth**, and **RingCentral**.
- **File Names**:
- `Invoice_[Random_ID].pdf`
- `Order_Confirmation.heic`
- **Network Indicators (Defanged)**:
- Phone Number Format: `+1 (XXX) XXX-XXXX` (E.164 format)
- Common abused VoIP Tiers: `virtue[.]com`, `sinch[.]com`
- **Behavioral Indicators**:
- Emails containing high-urgency language regarding "unauthorized charges" or "subscription renewals."
- Presence of a phone number as the primary Call to Action (CTA) instead of a URL.
## Associated Threat Actors
- **Call Center Scammers**: Sophisticated, organized criminal groups specializing in financial fraud and tech support scams.
- **TOAD Operators**: Actors focusing on hybrid attacks that bridge email and telephony infrastructure.
## Detection Methods
- **Signature-based detection**: Tracking known malicious phone numbers as IOCs in email bodies and attachments.
- **Behavioral detection**: Using Natural Language Processing (NLP) to identify "Call-to-Action" language that directs users to phone numbers for "refunds" or "cancellations."
- **Clustering**: Grouping disparate email campaigns by shared phone numbers to identify larger-scale infrastructure.
## Mitigation Strategies
- **Prevention measures**: Implement email security solutions that perform OCR (Optical Character Recognition) on attachments to extract and analyze phone numbers.
- **Hardening recommendations**:
- User awareness training focusing on the "TOAD" tactic.
- Organization-wide blocking of high-risk VoIP provider ranges if not required for business operations.
- **Reputation Monitoring**: Continuous monitoring of phone number reputations across global databases.
## Related Tools/Techniques
- **Vishing**: The voice-only component of the attack.
- **Smishing**: SMS-based phishing that often uses the same VoIP infrastructure.
- **BEC (Business Email Compromise)**: Often overlaps with TOAD when attackers use voice verification to "confirm" fraudulent wire transfers.