Executive Summary
In early 2025, cybercriminals escalated the use of Telephone-Oriented Attack Delivery (TOAD) techniques to bypass traditional email security measures. These attacks involve sending emails that appear to be from legitimate services, such as Microsoft Entra, Zoom, or Hulu+, containing fake invoices or alerts with a phone number for recipients to call. Upon calling, victims are connected to fraudulent call centers where they are manipulated into downloading remote access software, granting attackers control over their systems. This method effectively circumvents email filters by excluding malicious links or attachments, relying instead on social engineering tactics to exploit human trust. (cybernews.com)
The prevalence of TOAD attacks underscores a significant shift in phishing strategies, emphasizing the need for organizations to enhance their security awareness training and adopt multi-layered defense mechanisms. As these attacks exploit trusted communication channels and human psychology, traditional technical defenses alone are insufficient, highlighting the urgency for comprehensive security approaches that address both technological and human factors. (phishcloud.com)
Why This Matters Now
The rise of TOAD attacks represents a critical evolution in phishing tactics, exploiting trusted communication channels and human psychology to bypass traditional security measures. Organizations must urgently enhance their security awareness training and adopt multi-layered defense mechanisms to effectively counter these sophisticated social engineering threats.
Attack Path Analysis
The attack began with a phishing email containing a fake invoice and a phone number, leading the victim to call a fraudulent support line. The attacker, posing as support, convinced the victim to download remote access software, granting unauthorized access. With access, the attacker escalated privileges to gain control over critical systems. They moved laterally across the network to identify and access sensitive data. The attacker established a command and control channel to exfiltrate data and maintain persistence. Finally, the attacker exfiltrated sensitive data, leading to potential financial loss and reputational damage.
Kill Chain Progression
Initial Compromise
Description
The attacker sent a phishing email with a fake invoice and a phone number, prompting the victim to call a fraudulent support line.
MITRE ATT&CK® Techniques
Spearphishing Attachment
Application Layer Protocol: Web Protocols
User Execution: Malicious File
Command and Scripting Interpreter: Windows Command Shell
Valid Accounts
Brute Force: Password Guessing
Account Discovery: Local Account
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Training
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Training and Awareness
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
TOAD social engineering attacks bypass email security, exploiting phone-based trust mechanisms to compromise financial institutions' zero trust segmentation and encrypted traffic protections.
Health Care / Life Sciences
Telephone-oriented attack delivery circumvents healthcare email gateways, threatening HIPAA compliance and patient data through social engineering that evades traditional security controls.
Insurance
Social engineering via phone numbers defeats email security, exposing insurance organizations to data exfiltration and regulatory violations despite multicloud visibility investments.
Financial Services
TOAD attacks exploit human trust factors to bypass gateway protections, threatening financial data integrity and compliance frameworks through voice-based social engineering.
Sources
- Why 'Call This Number' TOAD Emails Beat Gatewayshttps://www.darkreading.com/threat-intelligence/why-call-this-number-toad-emails-beat-gatewaysVerified
- TOAD phishing campaign targets Microsoft Entrahttps://cybernews.com/security/new-toad-phishing-campaign-targets-microsoft-entra-invitees-with-fake-invoices/Verified
- TOAD Attacks Continue to Hop Alonghttps://cybercc.org/toad-attacks-continue-to-hop-along/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's lateral movement and data exfiltration, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial phishing attempts, it could limit the attacker's ability to exploit compromised credentials within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and segmenting workloads.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and disrupt command and control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix CNSF may not eliminate all risks, it could significantly reduce the attacker's ability to access and exfiltrate sensitive data, thereby mitigating potential financial and reputational damage.
Impact at a Glance
Affected Business Functions
- Customer Support
- Financial Transactions
- IT Helpdesk
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer payment information and internal financial records.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement and enforce least privilege access.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response to identify and respond to unusual activities indicative of compromise.
- • Enforce Multi-Factor Authentication (MFA) to strengthen access controls and prevent unauthorized access.
- • Conduct regular security awareness training to educate employees on recognizing and reporting phishing attempts.
