The attachment has no name and no extension. MIME type: application/octet-stream. When the gateway tries to decide what to do with it, there is almost nothing to decide on. No extension means no obvious scan profile. No links means no URL to detonate. No macros, no scripts, no executable code. The message passes through clean.
What it contains is a JPEG invoice, 1200 by 1212 pixels, rendered to look like a billing statement for $559.47 from an entity calling itself "Squad Geek," a visual echo of the Geek Squad brand. The only thing the recipient is asked to do is pick up the phone and call +1 838 900 4634 within 24 hours to dispute the charge.
This is a TOAD: telephone-oriented attack delivery. The email is not the attack. The phone call is.
Email gateways make triage decisions quickly. When an attachment arrives with a known extension (.exe, .docx, .pdf), the scanner applies the corresponding ruleset. When the extension is absent and the declared MIME type is application/octet-stream, that mapping fails. The scanner may apply a generic binary inspection, but it has no brand-impersonation rule, no invoice-pattern rule, and no OCR engine scanning for "you will be charged $559.47."
The content exists only as pixel data. To a system that does not perform optical character recognition on every inbound JPEG, the invoice might as well be a photograph of a landscape.
Consumers and small-business recipients face this gap constantly. The Verizon DBIR 2026 notes that phishing remains the top initial access vector, with social engineering attacks increasingly migrating to channels that avoid technical detection. TOAD campaigns are a deliberate expression of that migration: move the dangerous part of the attack off the email infrastructure and onto a phone line where no automated system is watching.
The fabricated charge is not random. $559.47 is plausible as a consumer electronics service agreement. "Geek Squad" is a recognized brand associated with Best Buy support services, making the transposed name "Squad Geek" close enough to generate alarm in someone skimming their inbox. The 24-hour dispute window manufactures urgency that short-circuits deliberate thinking.
The ticket codes in the message (QLTCKT, 2W2U-373490-4IKA4H-NNJEDJ) look like real reference numbers. They are not. The footer address ("Sarah Lock Suite 533, Ronaldfort, OK 51826") resolves to nothing. The product description ("Philips Microwave AH-560") does not match any model in Philips' catalog. None of this matters if the recipient panics and dials.
See Your Risk: Calculate how many threats your SEG is missing
The sender, bettsaddisonrswl@hotmail[.]com, is a throwaway consumer Hotmail account with a randomized local-part and no verifiable identity. SPF passed, DKIM passed, DMARC passed. The message flowed through Microsoft's outbound infrastructure exactly as Microsoft intended it to. There was no spoofing. The authentication headers are accurate: this Hotmail account really did send this email.
When a victim calls the number printed in the invoice, a live operator typically presents one of two social-engineering paths. In the payment-recovery version, the "support agent" asks for bank account or card information to issue a refund. In the remote-access version, the agent directs the victim to install software, then uses that access to stage further fraud, install malware, or harvest credentials from the victim's device.
Neither path leaves a trace in email telemetry. By the time a security team investigates the alert, the conversation has already happened.
Callback phishing campaigns of this type have no technical payload to detect. There is no URL to sandbox, no attachment to detonate, no C2 to block. The attack is pure social engineering, weaponizing a recognizable brand and a believable dollar amount to manufacture a sense of urgency.
IRONSCALES Adaptive AI flagged this message at 62% confidence. The sender was a first-time contact to this mailbox, unverifiable against any known business entity, sending from a consumer randomized address with a high-pressure invoice as its only content. The behavioral profile matched the TOAD pattern even in the absence of a technical payload.
The phishing detection did not rely on a malicious URL verdict or an attachment hash. It evaluated the sender relationship, the message structure, and the social-engineering pattern. That combination, not any individual technical signal, drove the flag.
The defensive surface for TOAD attacks is narrow because the attack deliberately avoids technical infrastructure that security teams can inspect. Effective countermeasures operate on the behavioral layer:
Sender-relationship scrutiny. A first-time external contact delivering an invoice is anomalous regardless of authentication status. Consumer mailbox accounts are not corporate billing systems.
OCR-based scanning. Security platforms that perform optical character recognition on inbound JPEG and PNG attachments can surface dollar amounts, brand names, and phone numbers for inspection even when the content is not rendered as text.
Employee awareness of the brand-inversion pattern. "Geek Squad," "Squad Geek," "GeekSquad Support": consumers and employees should know these names are frequently impersonated and that any unsolicited invoice for a service they do not recognize warrants a call to the real company through its published website, not through a number in the email.
The MITRE ATT&CK framework classifies this as Spearphishing Attachment (T1566.001). CISA guidance on phishing specifically flags unsolicited invoices with urgent dispute windows as a top consumer phishing lure. The Microsoft Digital Defense Report 2024 notes TOAD campaigns as among the fastest-growing callback-enabled fraud vectors, precisely because they circumvent infrastructure-based controls entirely.
No link. No executable. Just a JPEG, a phone number, and a clock counting down. That is enough.
---
| Type | Indicator | Context |
|---|---|---|
bettsaddisonrswl[at]hotmail[.]com | Throwaway Hotmail sender account | |
| Phone | +1 838 900 4634 | Fraudulent callback number printed in invoice image |
| Ticket code | QLTCKT | Fabricated reference code in fake invoice |
| Ticket code | 2W2U-373490-4IKA4H-NNJEDJ | Fabricated reference code in fake invoice |
| File hash (MD5) | 4e92f3156e4797b873c66185ebdac6ed | JPEG invoice attachment (no extension, application/octet-stream) |
| Attack | What happened |
|---|---|
| No Links, No Malware, Just a Phone Number: Geek Squad TOAD Invoice Targets an Engineering Manager | A Geek Squad invoice impersonation sent from a Hotmail account used a JPEG-rendered invoice and an unverified callback phone number as its entire attack... |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| The $47,320 Invoice That Came With a W-9 and a Personal Bank Account | A payment diversion attack bundled a $47,320 invoice with ACH/wire remittance instructions pointing to a personal bank account. |
| Past Due Invoice, Future Wire Fraud: How a BEC Campaign Passed Every Authentication Check | A BEC invoice diversion attack impersonated a known vendor contact through SendGrid, passed SPF/DKIM/DMARC. |
| One Missing Letter, One Stolen Payment: A Reply-To Typosquat That Beat the Spam Score | A typosquatted Reply-To domain misspelled 'Missouri' as 'Missuori' to intercept invoice payments. |