Four mailboxes at a regional healthcare provider received the same email on March 26, 2026. Subject line: "Shrink That Utility Bill." The body opened with a joke about a coworker microwaving fish in the break room, pitched a free energy audit, and closed with a single phone number. No links. No attachments. No embedded URLs. The entire attack surface was a voice call waiting to happen.
The sending domain, ampica-company[.]com, had existed for exactly 16 days.
This is TOAD (Telephone-Oriented Attack Delivery) in its purest form. The email is just the first stage of a two-phase attack: get the recipient on the phone, then execute the real social engineering. Every traditional scanner, from URL reputation to attachment sandboxing to link detonation, sees a clean message and waves it through. That is precisely the point.
The attacker registered ampica-company[.]com through GoDaddy on March 10, 2026. WHOIS privacy shielding hides the registrant. DNSSEC is unsigned. The domain expires in exactly one year, the minimum registration period, a common pattern for disposable phishing infrastructure.
A legitimate energy consulting firm called Ampica operates at ampica[.]com. The attacker's domain, ampica-company[.]com, mimics the brand closely enough to survive a quick glance but has no verified connection to the real company. This is a textbook lookalike domain play, mapped to MITRE ATT&CK T1583.001 (Acquire Infrastructure: Domains).
The email originated from Google's Gmail API infrastructure (submitted via gmailapi.google.com with HTTPREST), not from any corporate mail server. Custom headers embedded in the message reveal campaign automation metadata: campaignid=11041, stepid=75508, seqthreadid=167186, and outboxid=3082235746. This was not a single hand-crafted email. It was a sequenced outbound campaign, likely powered by a sales engagement platform, designed to hit targets at scale.
Here is where the case gets instructive for defenders.
At the first relay hop (a Cisco IronPort appliance), the message passed SPF, DKIM, and DMARC validation against the Google sending IP (209.85.167.66). But by the time the message reached the Microsoft 365 tenant, every authentication check had flipped:
The domain's DMARC policy is set to p=none, which means "monitor only, take no enforcement action." Even with a triple authentication failure, the receiving tenant did not reject or quarantine the message. Microsoft assigned SCL=-1, indicating the message was allow-listed at the organizational level, bypassing spam filtering entirely.
See Your Risk: Calculate how many threats your SEG is missing
The FBI IC3 2024 report documents over $12.5 billion in losses from business email compromise, with callback phishing representing a growing share. Verizon's 2024 DBIR confirms social engineering remains the top action variety in breaches.
A Secure Email Gateway evaluates an inbound message by scanning its links against URL reputation databases, detonating attachments in sandboxes, and matching content against known malicious signatures. When an email contains none of those artifacts, those engines return clean verdicts.
This message triggered a "Negative" threat scanner verdict and passed through Cisco's content scanning layer without issue. The X-IronPort-Reputation score of 0.1 (on a scale where lower means worse) flagged the sender as suspicious, but the GREYLIST classification and MEDIUM_THROTTLE policy only slowed delivery. They did not stop it.
The body reads like legitimate cold sales outreach. The humor ("that one coworker who microwaves fish"), the soft ask ("Want me to forward you a quick overview?"), and the polite opt-out ("just reply 'Not interested'") all mirror real B2B prospecting. This maps to MITRE ATT&CK T1566 (Phishing) and T1598 (Phishing for Information), where the email gathers engagement before the real payload deploys over a second channel.
The phone number is the payload. Once the recipient calls, the attacker controls the conversation. The Microsoft Digital Defense Report 2024 highlights this exact pattern: voice-channel pivots that originate from email but execute entirely outside the email security stack.
IRONSCALES Themis flagged this message at 89% confidence, classifying it as phishing and tagging the recipient as a VIP. The detection relied entirely on behavioral and community signals because there was nothing else to work with:
The incident was automatically resolved as phishing. Four affected mailboxes were remediated.
TOAD attacks require a fundamentally different defensive posture than link or attachment phishing. Here is what works:
For security teams: - Enforce DMARC at p=reject across all organizational domains. This case's p=none policy allowed the message through despite complete authentication failure. NIST and CISA both recommend reject enforcement as baseline email hygiene. - Review SCL override rules. An SCL of -1 on a triple-auth-fail message from a 16-day-old domain indicates an overly permissive allow list. - Deploy behavioral AI that evaluates domain age, sender history, and community reputation rather than relying exclusively on content scanning.
For end users: - Never call a phone number provided in an unsolicited email. If the offer seems legitimate, look up the company's number independently. - Treat "no links" as a signal, not safety. The absence of clickable content does not mean the email is benign. - Report suspicious messages even when they look like ordinary sales outreach. Community reporting feeds the intelligence loop that catches the next campaign.
The IBM Cost of a Data Breach Report 2024 found that social engineering attacks involving voice channels carry above-average breach costs. A phone call feels more personal, more urgent, and harder to verify than a link click.
| Type | Indicator | Context |
|---|---|---|
| Domain | ampica-company[.]com | Attacker sending domain, registered 2026-03-10 via GoDaddy |
derek@ampica-company[.]com | Sender and Reply-To address | |
| IP | 209[.]85[.]167[.]66 | Google SMTP relay (legitimate infrastructure, not attacker-owned) |
| IP | 139[.]138[.]34[.]191 | Cisco IronPort relay (esa3.hc3244-53.iphmx.com) |
| Phone | (317) 406-7878 | TOAD callback number embedded in email signature |
| DKIM Selector | google | DKIM selector on ampica-company[.]com |
| Campaign ID | 11041 | Sales automation campaign identifier from email headers |
| Sequence Thread ID | 167186 | Outbound sequence thread from campaign platform |
| Technique | ID | Relevance |
|---|---|---|
| Phishing | T1566 | Initial email delivery to healthcare targets |
| Phishing for Information | T1598 | Phone-based engagement to extract information or access |
| Acquire Infrastructure: Domains | T1583.001 | Registration of lookalike domain 16 days before campaign |