It showed up on a Tuesday afternoon in early March. The subject line was a meaningless alphanumeric string: "LAE7818." No greeting, no explanation, no links. The email body contained nothing but a cryptic reference to an AWS IP address. The only thing that mattered was the attachment: a file called 4248114.jpeg that, as it turned out, wasn't a JPEG at all.
The recipient worked at a mid-sized professional services firm. Their email was printed directly on the fake invoice inside the attachment, next to a fabricated Geek Squad subscription renewal for $159.99. Everything about the message was designed to bypass automated defenses and push the target toward one specific action: picking up the phone.
The invoice itself was polished. It referenced a "Subscription ID: GK85248524799," listed "Visa Card" as the payment method, and set a renewal date that aligned with the message timestamp. The recipient's corporate email address was embedded in the image, a personalization tactic that makes the document feel legitimate. Below the charge summary, a single instruction: "If you did not authorize this purchase, please contact our support agent immediately." Then the phone number.
This is callback phishing, sometimes called Telephone-Oriented Attack Delivery (TOAD). The approach is deliberately link-free. URL scanners, link reputation engines, sandbox detonation tools: none of them have anything to analyze. The FBI IC3 2024 Annual Report documented callback phishing as one of the fastest-growing social engineering categories, precisely because it sidesteps the detection mechanisms that security teams have spent years building.
The attacker chose Geek Squad specifically. Tech support brands carry a unique psychological weight. The recipient doesn't have to believe they actually subscribed. They just need to feel uncertain enough to call and "clarify." That uncertainty is the entire weapon.
Here's where the technical craft gets interesting. The attachment was named 4248114.jpeg and arrived with a MIME type of image/jpeg. Most email gateways and content filters would see those signals, confirm "it's an image," and move on.
But binary analysis told a different story. The file's magic bytes (the first few bytes that identify a file's true format) revealed it was actually a PNG, specifically an RGBA-format PNG at 1024x1123 pixels. The file hash (c210146a0cfa86d61a75f07a779e2631) confirms this mismatch. This is MITRE ATT&CK T1036.008: Masquerade File Type in practice: deliberately mismatching the file extension and declared type to confuse automated inspection.
Why does this matter? Some content inspection engines make decisions based on file extension alone. If the filter expects a JPEG, it may apply JPEG-specific parsing. A PNG disguised as a JPEG could slip through because the parser fails silently rather than flagging the mismatch. It's a small trick, but in the volume game of phishing, small tricks at scale produce real results.
The image itself contained no embedded URLs, no QR codes, and no hidden payloads (steganography checks came back clean). The attacker kept it simple. The phone number was the only call to action, and it lived safely inside pixel data where text-based scanning wouldn't catch it without OCR.
See Your Risk: Calculate how many threats your SEG is missing
The sender, "Tyla Wood" (fbrje67855@gmail[.]com), used a randomized Gmail address. The local part follows the pattern of throwaway accounts: random consonant clusters with appended digits. Because the message was sent through Google's legitimate SMTP infrastructure (mail-vs1-xe35[.]google[.]com), it passed SPF, DKIM, and DMARC validation cleanly. This is the fundamental challenge with free webmail providers. Authentication protocols verify that the sending infrastructure is authorized, not that the sender is trustworthy.
The email also carried a malformed List-Unsubscribe header pointing to hxxps://fbrje67855@gmail[.]com/unsubscribe, which is not a valid unsubscribe endpoint. This header manipulation serves two purposes: it can confuse spam filters that weight legitimate unsubscribe mechanisms as a positive signal, and it reinforces the appearance of a "real" commercial email.
Additional evasion signals included priority headers set to maximum urgency (X-Priority: 1, Importance: high, Priority: urgent) across multiple header formats. The email body itself contained only a bare string referencing 157[.]175[.]105[.]49, which resolves to an AWS EC2 instance in the me-south-1 (Bahrain) region. This token appears to be an internal tracking reference for the attacker's campaign infrastructure.
The complete attack path maps to T1566.001: Spearphishing Attachment for initial delivery and T1204.002: User Execution for the callback action the attacker needs to succeed.
IRONSCALES Adaptive AI flagged this message through a convergence of behavioral signals. The sender was a first-time contact with a randomized address pattern. The email contained an image attachment with invoice-style content but zero links, a structure that maps to known TOAD patterns. The file-type mismatch between the declared JPEG extension and the actual PNG binary signature added another anomaly signal.
Themis analyzed the email's language structure and attachment characteristics, identifying patterns consistent with sophisticated phishing. The message was quarantined before the recipient could act on it.
Had the email landed, the likely next step would have been a phone call to +1-804-610-0942. According to Microsoft's Digital Defense Report 2024, callback phishing operations typically escalate to remote access tool installation, credential harvesting, or direct financial theft within minutes of the initial call. The Verizon DBIR 2024 found that the median time from phishing contact to credential compromise is under 60 seconds once a human interaction channel is established.
File extensions are cosmetic. Any security stack that trusts a file extension without verifying magic bytes has a gap. Ask your vendor whether their attachment scanning performs binary signature validation, not just extension matching.
Zero-link emails are not zero-risk emails. TOAD attacks are specifically designed to exploit the blind spot in link-centric detection. If your email security tools only flag messages with suspicious URLs, callback phishing will sail through every time. Detection needs to account for image-embedded phone numbers, invoice patterns, and behavioral anomalies like first-time senders with randomized addresses.
Authentication is not authorization. SPF, DKIM, and DMARC passing does not mean an email is safe. It means the sending infrastructure is who it claims to be. Attackers use free Gmail accounts specifically because Google's infrastructure will always authenticate correctly. Layer community intelligence and behavioral analysis on top of protocol checks.
Train for the phone call, not just the click. Most phishing awareness programs focus on "don't click the link." TOAD attacks require a different reflex: "don't call the number." Make sure your simulation exercises include callback scenarios where the only malicious element is a phone number printed in an image.