The email had no links to click. The attachment was clean. Every technical authentication check passed. The entire attack was a phone number.
In May 2026, a mechanical engineering manager at an automotive technology manufacturer received an invoice claiming to be from Geek Squad for a $537 subscription renewal. The message came from a generic Hotmail account with a display name that sounded like a person rather than a business. The invoice was a JPEG image attached to the email. Inside that image, a phone number appeared as the only action the recipient could take.
Security teams focus significant detection effort on links, macros, and executable payloads. A JPEG image offers none of those attack surfaces. No antivirus scanner will flag a static JPEG as malicious. No sandbox will detonate it. No URL reputation engine has anything to evaluate. The image just renders.
This is telephone-oriented attack delivery (TOAD), also described in the Verizon DBIR 2026 as one of the callback-TOAD variants representing roughly 5% of the gateway attack mix. The technique trades technical sophistication for social engineering sophistication: instead of deploying malware, the attacker deploys a plausible pretext that motivates the recipient to call a phone number and interact with a live operator or automated system capable of extracting credentials, payment information, or remote access.
The callback number in this attack, +1 845-202-4290, has no association with Best Buy's published support infrastructure. Geek Squad support contacts are listed under bestbuy.com. A recipient who calls this number reaches the attacker's operation, where operators typically script around a "cancellation process" that requires payment card verification or, in more aggressive variants, remote-access software installation under the pretext of processing a refund.
See Your Risk: Calculate how many threats your SEG is missing
The message authenticated completely. SPF passed because the sending IP (2a01:111:f403:d100::) is part of Microsoft's outbound Hotmail/Outlook.com range. DKIM passed for d=hotmail.com. DMARC passed with action=none under hotmail.com policy. ARC chain validation passed. The compauth score was 100, the highest possible value.
This is exactly what a legitimate Hotmail message should look like. What authentication does not verify is whether the display name "Massey Skylar" is the actual person who sent the email, or whether the Geek Squad branding inside the attachment is authorized. Email authentication verifies the sending infrastructure, not the content or the identity claim.
The Microsoft Digital Defense Report 2024 notes that free consumer email services remain a primary launchpad for social engineering campaigns precisely because they authenticate cleanly and have established positive reputation. The IRONSCALES platform data shows that 67.5 phishing emails per 100 mailboxes per month reach recipients despite gateway filtering; clean-authentication TOAD attacks account for a meaningful share of that volume because they present no technical signals for gateways to evaluate.
The attachment contained several inconsistencies that a careful reviewer would recognize as fabrication signals.
The footer of the invoice attributed the document to "Windows Defender," not Geek Squad or Best Buy. These are different products from the same parent company, and no real Geek Squad renewal invoice carries Windows Defender branding in its footer. This mismatch indicates the attacker assembled the invoice from multiple phishing kit templates without reconciling the branding.
The arithmetic in the line items did not reconcile: a listed quantity of 5 at a unit price of $100 should total $500, but the subtotal and final amount showed $537. Fabricated invoices frequently contain arithmetic errors because the dollar amount is chosen to appear credible (large enough to create urgency, small enough not to trigger immediate disbelief) and inserted without validating against the line items.
A fabricated forwarded-message block in the email body referenced the recipient's actual work email address alongside a date, attempting to simulate an internal forward that had already been reviewed by someone else. This social-engineering layer is designed to reduce the recipient's instinct to escalate or verify independently.
| Type | Indicator | Context |
|---|---|---|
massey4ec8skylar@hotmail[.]com | Attacker sending address; display name "Massey Skylar" | |
| Phone | +1 845-202-4290 | Attacker callback number embedded in JPEG invoice |
| File | 9TPL0DCGZ7S3 (JPEG, 241,942 bytes) | Invoice image; MD5 7137a1270d4fb2501627570e686b9cdf |
This attack class is specifically designed to have no technical payload that traditional defenses evaluate. The CISA phishing guidance and NIST's phishing definition both recognize callback fraud as a distinct threat category precisely because it bypasses controls oriented around malicious links and attachments.
The detection surface available to an automated system is behavioral and contextual: a first-time sender from a consumer email domain, a subject line referencing a ticket or security validation ID, a JPEG attachment consistent with invoice fraud templates, and no organizational relationship between the sender and recipient. IRONSCALES applies behavioral analysis across these signals rather than relying solely on link verdicts. Account takeover protection complements this by flagging free-webmail senders impersonating known brands even when the technical signals are all clean.
The IBM Cost of a Data Breach 2024 report notes that social engineering remains one of the costliest initial access vectors. TOAD attacks are effective not because they are technically sophisticated but because they move the fraud conversation off a channel that security tools monitor (email) and onto one that is largely unmonitored (a phone call). Security awareness training that covers vishing and callback fraud scenarios, not just URL-based phishing, is essential for closing this gap. Phishing simulation testing that includes TOAD lure templates gives organizations a direct measure of employee susceptibility to invoice callback fraud before a real attacker does.
The MITRE ATT&CK framework maps this to Phishing via Spearphishing Attachment (T1566.001). In this case the attachment is the lure rather than the payload, but the classification holds: an email attachment was used to deliver the information needed to complete the fraud.
| Attack | What happened |
|---|---|
| Encrypted PDF Invoice Drops Through SPF, DKIM, and DMARC on a 6-Day-Old Domain | A phishing attack weaponized an encrypted PDF with hidden AcroForm fields, sent from a 6-day-old Reuters lookalike domain that passed SPF, DKIM, and DMARC. |
| The Fireflies Meeting Recap That Never Happened: Dual-Brand Impersonation via Amazon SES | A phishing campaign combined Fireflies.ai meeting recap templates with Microsoft Teams branding to target a financial controller. |
| The Law Firm Name That Used Invisible Characters to Pass Authentication | A phishing email impersonating Alston & Bird LLP used homoglyph characters in the display name and rode Google Drive sharing infrastructure to pass SPF. |
| The B2B Content Marketing Email That Borrowed a Brand, a Relay Allow-List, and a Security Vendor's Own URL Wrapper | A polished B2B research report offer used SelectHub branding, passed through an allow-listed mail relay at SCL -1. |
| Three Brand Names, One Payment Email, and a PDF That Lied About What It Was | A payment notification email carried three different brand identities: Ottimate in the visible sender name, Qubiqle Inc. |