The notification looked like a standard Google Calendar invite. The subject referenced a scheduled event. The body contained RSVP buttons, a Google logo, and the familiar formatting of any calendar notification that lands in a corporate inbox multiple times a day.
Inside the event description was a billing notice from "Geek Squad's Member Services." A charge of $359.99 USD was supposedly hitting the recipient's next billing cycle. Multiple phone numbers were listed, along with a street address presented as a support center. The message urged immediate action to dispute the charge.
There were no malicious URLs. Every link in the email resolved to calendar.google.com. The ICS attachment contained no executable code, no embedded links, no HTML forms. Attachment sandboxes returned a clean verdict. URL reputation engines had nothing to flag. The entire attack payload was a set of phone numbers.
The organizer domain, nickmin[.]com, was registered the same day the invite was sent. The registrar was Hosting Concepts B.V., and registrant details were privacy-protected. The domain published no SPF record, so the SPF evaluation returned none for the return-path domain. No MX records. No web presence. No history.
Despite the brand-new, unverified organizer domain, DKIM passed. Google Calendar sends invites through Google's own mail infrastructure (mail-sor-f69[.]google[.]com, IP 209[.]85[.]220[.]69). Google signs these outbound messages with its own DKIM keys. The signature confirms that Google processed and sent the message. It does not confirm that the organizer domain is legitimate or that the content is trustworthy.
The return-path address followed a pattern consistent with disposable accounts: akuchiezakavec@nickmin[.]com. No verifiable professional identity was found for this address or for anyone associated with the domain. The sender's association with Best Buy or Geek Squad was entirely fabricated.
This delivery method is specifically designed to exploit the gap between authentication and content inspection. DKIM passes because Google is the actual sender. SPF returns none rather than fail because the domain simply has no SPF policy, and many email gateways treat none as inconclusive rather than suspicious. The calendar invite format itself is a trusted content type that most users and most security tools treat as low-risk.
See Your Risk: Calculate how many threats your SEG is missing
Telephone-Oriented Attack Delivery (TOAD), sometimes called callback phishing, has become a significant component of the social engineering threat landscape. The FBI's 2024 Internet Crime Report documented over $2.9 billion in BEC and related fraud losses, with phone-based social engineering a growing and underreported contributor.
The model is efficient. The attacker sends a notification that creates financial urgency. The victim initiates the call. On the other end is a live operator (or a convincing automated script) prepared to extract credentials, payment card details, or remote desktop access under the guise of customer support.
In this case, the Geek Squad brand impersonation is a well-documented pattern. The $359.99 charge amount is calibrated: high enough to trigger alarm, low enough to seem plausible for a software renewal or support subscription. The multiple phone numbers and the inclusion of a physical address add bureaucratic texture that makes the notice feel procedural rather than threatening. Grammar inconsistencies and formatting oddities are present but subtle enough that a stressed recipient focused on a $360 unexpected charge might not notice.
The phone numbers listed in the invite do not match any publicly listed Best Buy or Geek Squad contact information. The street address is unverifiable. Every element exists to build just enough credibility to get the recipient to dial.
Themis, the Adaptive AI, flagged this incident based on the combination of a same-day registered organizer domain, the absence of any SPF policy, behavioral patterns in the invite content consistent with financial-urgency social engineering, and community-level intelligence from similar Geek Squad TOAD campaigns observed across the IRONSCALES network. Across that network, 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways, and zero-link vishing attacks are among the hardest categories for legacy tools to detect.
This attack maps to MITRE ATT&CK T1566.001 (Spearphishing Attachment) for the ICS delivery vector, T1598 (Phishing for Information) for the off-channel voice harvesting intent, and T1204.001 (User Execution: Malicious Link) for the required victim action of calling the number.
Traditional email defenses assume a technical artifact: a URL to block, a file to sandbox, a domain to blacklist. When the payload is a phone number embedded in a calendar description, those assumptions break down.
Detection requires domain-age evaluation at the envelope level rather than only for embedded URLs. It requires behavioral analysis of calendar invite content, not just attachment detonation. And it requires user awareness training that specifically addresses callback phishing scenarios, because this attack succeeds or fails based entirely on whether the recipient picks up the phone.
The 2024 Verizon DBIR found the human element involved in 68% of breaches. Attacks like this one are designed to route around every technical control and land directly in human judgment: you have been charged $360 for something you did not buy, and here is the number to call.
| Type | Indicator | Context |
|---|---|---|
| Organizer Domain | nickmin[.]com | Same-day registered, privacy-protected, no SPF |
| Organizer Email | akuchiezakavec@nickmin[.]com | Return-path address, disposable account pattern |
| Sending IP | 209[.]85[.]220[.]69 | Google mail infrastructure (mail-sor-f69.google.com) |
| ICS Attachment | invite.ics | Calendar invite with fraudulent Geek Squad billing claim |
| Impersonated Brand | Geek Squad / Best Buy | $359.99 charge, fake "Member Services" identity |
| Attack | What happened |
|---|---|
| The Partner Invite That Used the Wrong Sending Domain | A calendar invite appeared to be from an IRONSCALES employee arranging an ANZ distribution call. |
| Someone Filed a False Positive on This Azure TOAD Scam. Here's Why That's the Whole Point. | An attacker built a real Azure subscription, created a resource group and metric alert rule. |
| A Fully Authenticated Bank Alert Hides Its Payload in a Phone Number | A phishing email impersonating a major U.S. |
| The Payload Was a Phone Number: How a Google Calendar Invite Weaponized Vishing | A Google Calendar invite with a fake $399.77 charge and a toll-free callback number. |
| A 16-Day-Old Domain, Zero Links, and One Phone Number: Anatomy of a Pure TOAD Attack | A phishing email with zero links, zero attachments, and zero malicious URLs reached four mailboxes at a healthcare organization. |