Why 'Call This Number' TOAD Emails Beat Gateways

While avoiding clicking on dubious links or downloading malicious attachments is a major topic of discussion when it comes to phishing, there is an increasingly popular attack method where the email payload is just a phone number This article explores phishing increasingly. . Additionally, defenses are failing to stop these emails.

An analysis of about 5,000 email-based threat detections that evaded secure email gateways in various enterprise environments between December 2025 and the present was released today by researchers from email security vendor StrongestLayer. With differing success rates against Microsoft- and Google-hosted email platforms, many of the attack techniques found were standard phishing and social engineering fare, such as PDF attachments, a QR code to deliver a payload, requests to pivot to a phone call, URL multi-hop redirects, and so forth.

However, telephone-oriented attack delivery (TOAD), which accounted for nearly 28% of all gateway-bypassing detections in the research, was the vendor's primary focus for this most recent study. Related: More than 600 FortiGate Devices AI-Armed Amateur Hacked Lefort explains that a third of the attacks in the report were "structurally invisible," which is why he supports reasoning models that can detect the subtle signatures and patterns left by TOAD emails (StrongestLayer, along with other vendors like Abnormal AI, is part of the AI-powered email protection market). Lefort advises defenders to compare detection coverage to the report's attack family taxonomy.

If an organization is using a more basic service plan, they might want to think about switching to a different tier that offers more robust detections for their needs.

Regarding employee training, he highlights the recurring abuse trends in bad sender ecosystems. By telling staff members that they will never be asked to call a phone number to handle an invoice, that phone payments will only be accepted through finance, and that they should not scan QR codes in PDFs, an organization can take a step in the right direction against phishing attempts.