TL;DR An attacker registered ampica-company[.]com just 16 days before sending a conversational energy audit pitch to a healthcare organization. The email contained zero links and zero attachments. Its only call to action was a phone number, making it invisible to URL scanners, attachment sandboxes, and link reputation engines. SPF softfailed, DKIM failed, and DMARC failed at the receiving tenant, yet the message still reached four mailboxes. IRONSCALES Themis flagged it at 89% confidence using behavioral and community signals.
Severity: High Vishing Toad Social Engineering MITRE: T1566 MITRE: T1598 MITRE: T1583
Four mailboxes at a regional healthcare provider received the same email on March 26, 2026. Subject line: "Shrink That Utility Bill." The body opened with a joke about a coworker microwaving fish in the break room, pitched a free energy audit, and closed with a single phone number. No links. No attachments. No embedded URLs. The entire attack surface was a voice call waiting to happen.
The sending domain, ampica-company[.]com, had existed for exactly 16 days.
This is TOAD (Telephone-Oriented Attack Delivery) in its purest form. The email is just the first stage of a two-phase attack: get the recipient on the phone, then execute the real social engineering. Every traditional scanner, from URL reputation to attachment sandboxing to link detonation, sees a clean message and waves it through. That is precisely the point.
A Domain Built to Impersonate an Energy Consultancy
The attacker registered ampica-company[.]com through GoDaddy on March 10, 2026. WHOIS privacy shielding hides the registrant. DNSSEC is unsigned. The domain expires in exactly one year, the minimum registration period, a common pattern for disposable phishing infrastructure.
A legitimate energy consulting firm called Ampica operates at ampica[.]com. The attacker's domain, ampica-company[.]com, mimics the brand closely enough to survive a quick glance but has no verified connection to the real company. This is a textbook lookalike domain play, mapped to MITRE ATT&CK T1583.001 (Acquire Infrastructure: Domains).
The email originated from Google's Gmail API infrastructure (submitted via gmailapi.google.com with HTTPREST), not from any corporate mail server. Custom headers embedded in the message reveal campaign automation metadata: campaignid=11041, stepid=75508, seqthreadid=167186, and outboxid=3082235746. This was not a single hand-crafted email. It was a sequenced outbound campaign, likely powered by a sales engagement platform, designed to hit targets at scale.
Triple Authentication Failure, Inbox Delivery Anyway
Here is where the case gets instructive for defenders.
At the first relay hop (a Cisco IronPort appliance), the message passed SPF, DKIM, and DMARC validation against the Google sending IP (209.85.167.66). But by the time the message reached the Microsoft 365 tenant, every authentication check had flipped:
- SPF: SoftFail for 139.138.34.191 (the IronPort relay IP, not in ampica-company[.]com's SPF record)
- DKIM: Fail (signature did not verify, likely broken by header modification during relay)
- DMARC: Fail (p=none, no enforcement)
- ARC: cv=fail (chain validation failed across the forwarding sequence)
- compauth: none (reason=405, composite authentication could not validate)
The domain's DMARC policy is set to p=none, which means "monitor only, take no enforcement action." Even with a triple authentication failure, the receiving tenant did not reject or quarantine the message. Microsoft assigned SCL=-1, indicating the message was allow-listed at the organizational level, bypassing spam filtering entirely.
See Your Risk: Calculate how many threats your SEG is missing
The FBI IC3 2024 report documents over $12.5 billion in losses from business email compromise, with callback phishing representing a growing share. Verizon's 2024 DBIR confirms social engineering remains the top action variety in breaches.
Why TOAD Attacks Blind Traditional Scanners
A Secure Email Gateway evaluates an inbound message by scanning its links against URL reputation databases, detonating attachments in sandboxes, and matching content against known malicious signatures. When an email contains none of those artifacts, those engines return clean verdicts.
This message triggered a "Negative" threat scanner verdict and passed through Cisco's content scanning layer without issue. The X-IronPort-Reputation score of 0.1 (on a scale where lower means worse) flagged the sender as suspicious, but the GREYLIST classification and MEDIUM_THROTTLE policy only slowed delivery. They did not stop it.
The body reads like legitimate cold sales outreach. The humor ("that one coworker who microwaves fish"), the soft ask ("Want me to forward you a quick overview?"), and the polite opt-out ("just reply 'Not interested'") all mirror real B2B prospecting. This maps to MITRE ATT&CK T1566 (Phishing) and T1598 (Phishing for Information), where the email gathers engagement before the real payload deploys over a second channel.
The phone number is the payload. Once the recipient calls, the attacker controls the conversation. The Microsoft Digital Defense Report 2024 highlights this exact pattern: voice-channel pivots that originate from email but execute entirely outside the email security stack.
How Behavioral AI Caught What Scanners Missed
IRONSCALES Themis flagged this message at 89% confidence, classifying it as phishing and tagging the recipient as a VIP. The detection relied entirely on behavioral and community signals because there was nothing else to work with:
- Domain age analysis: ampica-company[.]com was 16 days old at send time. Newly registered domains correlate heavily with phishing campaigns (CISA phishing guidance flags this as a primary indicator).
- Community intelligence: The IRONSCALES community of 35,000+ security professionals had already flagged similar sender fingerprints from related campaigns. Two community insight signals fired: one based on resolution patterns of similar incidents, the other on reputation signals matching previously reported phishing activity.
- Authentication failure correlation: Triple auth failure combined with a newly registered domain and first-time contact pattern produced a composite risk score that exceeded the phishing threshold.
The incident was automatically resolved as phishing. Four affected mailboxes were remediated.
Defending Against Phone-Only Phishing
TOAD attacks require a fundamentally different defensive posture than link or attachment phishing. Here is what works:
For security teams: - Enforce DMARC at p=reject across all organizational domains. This case's p=none policy allowed the message through despite complete authentication failure. NIST and CISA both recommend reject enforcement as baseline email hygiene. - Review SCL override rules. An SCL of -1 on a triple-auth-fail message from a 16-day-old domain indicates an overly permissive allow list. - Deploy behavioral AI that evaluates domain age, sender history, and community reputation rather than relying exclusively on content scanning.
For end users: - Never call a phone number provided in an unsolicited email. If the offer seems legitimate, look up the company's number independently. - Treat "no links" as a signal, not safety. The absence of clickable content does not mean the email is benign. - Report suspicious messages even when they look like ordinary sales outreach. Community reporting feeds the intelligence loop that catches the next campaign.
The IBM Cost of a Data Breach Report 2024 found that social engineering attacks involving voice channels carry above-average breach costs. A phone call feels more personal, more urgent, and harder to verify than a link click.
TOAD Campaign Infrastructure
| Type | Indicator | Context |
|---|
| Domain | ampica-company[.]com | Attacker sending domain, registered 2026-03-10 via GoDaddy |
| Email | derek@ampica-company[.]com | Sender and Reply-To address |
| IP | 209[.]85[.]167[.]66 | Google SMTP relay (legitimate infrastructure, not attacker-owned) |
| IP | 139[.]138[.]34[.]191 | Cisco IronPort relay (esa3.hc3244-53.iphmx.com) |
| Phone | (317) 406-7878 | TOAD callback number embedded in email signature |
| DKIM Selector | google | DKIM selector on ampica-company[.]com |
| Campaign ID | 11041 | Sales automation campaign identifier from email headers |
| Sequence Thread ID | 167186 | Outbound sequence thread from campaign platform |
Technique Classification
| Technique | ID | Relevance |
|---|
| Phishing | T1566 | Initial email delivery to healthcare targets |
| Phishing for Information | T1598 | Phone-based engagement to extract information or access |
| Acquire Infrastructure: Domains | T1583.001 | Registration of lookalike domain 16 days before campaign |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
