An invoice arrives. NortonLifeLock letterhead. $440.90 billed. Invoice ID included. A polite note: if you did not authorize this charge, call the number provided to cancel. There is no link to click. There is no attachment to open. There is only a phone number.
That is the entire attack.
Callback phishing, also called TOAD (Telephone-Oriented Attack Delivery), is specifically designed to defeat the detection infrastructure that dominates enterprise email security. URL reputation engines need a URL. Sandbox detonation needs a file. When an email carries neither, both defenses become irrelevant.
The message in this case carried no links and no attachments. The Cisco IronPort ESA at the receiving organization saw clean headers and a plain-text body. Microsoft Exchange Online Protection processed it next and reached the same conclusion. Neither had a technical artifact to evaluate. The anti-spam scoring flagged it as suspected spam based on content heuristics, enough to prepend a warning banner but not enough to block delivery.
The attack's entire bet is that a recipient who sees an unexpected $440.90 charge on a NortonLifeLock invoice will panic enough to call the provided number before questioning whether the invoice is real. The callback number connects to attackers posing as NortonLifeLock support agents, who then walk the victim through "canceling the charge" in ways that extract payment credentials, remote access, or both.
The message was sent from a compromised account at a scholarship organization whose domain had been registered since 2011. That registration age is the first thing an IP reputation system checks: a 14-year-old domain with no prior abuse history carries a clean score. The account passed SPF, DKIM, and DMARC at the initial Google relay hop. Those authentication results were correct: the message genuinely originated from the scholarship organization's mail server.
Authentication failures appeared at the final Microsoft relay, where SPF showed softfail, DKIM failed, and DMARC failed against a policy of reject. The relay chain had broken authentication alignment by the time the message reached its destination. Those failures were accurate readings of what the message had become by that point in transit, but the enforcement action that DMARC reject should have triggered, blocking or quarantining the message, did not prevent delivery.
The sender display name was attached to the scholarship organization's account, carrying no visible connection to NortonLifeLock. The brand impersonation existed entirely in the message body, not in the From header.
This was not a targeted attack. The To header contained hundreds of recipient addresses drawn from healthcare, education, government, and financial organizations. The message content used a generic "Dear Customer" greeting with no personalization. The goal was volume: send to enough inboxes that some percentage of recipients panic and call.
Invoice fraud campaigns of this type succeed through statistical reach rather than precision targeting. Each recipient who calls the fake support number and provides card details or remote access represents a complete return on a campaign that required no per-recipient research. The compromised scholarship account gave the attacker a legitimate sending platform capable of high-volume distribution without triggering the sending-reputation flags that newly registered domains or consumer ESP accounts would generate.
See Your Risk: Calculate how many threats your SEG is missing
The choice of NortonLifeLock as the impersonated brand is deliberate. The brand is associated with consumer security subscriptions that many people carry but do not closely monitor. An unexpected auto-renewal charge at a familiar price point reads as plausible. The invoice format, with a reference number and a specific dollar amount, provides enough surface detail to appear credible on first read without requiring the attacker to maintain any real brand infrastructure.
IRONSCALES Adaptive AI flagged this campaign at 90% confidence, categorized as invoice phishing. The detection relied on signals that exist at the content and behavioral layers rather than in URL or attachment analysis.
The content signals: a NortonLifeLock impersonation lure, a specific invoice amount, a reference number, and a callback instruction all combined in a message body that matched known TOAD invoice patterns. The behavioral signals: a first-contact message from a scholarship organization account to healthcare and professional recipients, sent in a mass blast with no personalization, carrying language calibrated to provoke urgent action. No single signal is decisive. The combination produces a high-confidence verdict.
The state on this incident was "Automatically Resolved as Phishing." The mass-distribution pattern, reaching recipients across multiple unrelated organizations simultaneously, was itself a detection input.
The detection gap this attack exposes is structural. Every dollar invested in URL reputation, link sandboxing, and attachment detonation provides no return against a payload that is a phone number printed in a message body.
Behavioral content analysis. Invoice lures with callback numbers, billing amounts, and reference IDs are a documented pattern. Detection that classifies message body semantics, rather than only evaluating technical artifacts, can identify this class of attack based on what the message is trying to accomplish, not on what files it carries.
DMARC enforcement at every relay hop. When a relay chain breaks authentication alignment and the final hop shows DMARC reject, that verdict should trigger the policy action the sender specified. Enforcement gaps in multi-hop chains are a known delivery vector for campaigns that depend on a legitimate intermediate hop to clear the first filter.
Employee training on unsolicited invoice lures. The most direct defense against a callback campaign is a recipient who knows not to call numbers printed in unexpected invoices. Calling the vendor's published support line, found independently through their official website, costs the attacker their entire return.
The Verizon DBIR 2026 identifies social engineering as a primary attack category, with telephone and email-to-phone tactics growing as a proportion of financially motivated campaigns. The MITRE ATT&CK framework classifies this delivery pattern under Phishing (T1566.001) with social engineering elements consistent with T1598.002. CISA guidance specifically calls out unexpected billing notifications as a phishing signal. The Microsoft Digital Defense Report 2024 notes the continued rise of telephone-based social engineering as adversaries shift payloads off-channel to avoid email-layer detection.
A phishing message that carries no URL and no attachment is not a gap in the attacker's toolkit. It is the point. The attack is designed for exactly the technical environment it was sent into.
---
| Type | Indicator | Context |
|---|---|---|
| Phone | +1 804 653 3[.]660 | Attacker callback number posed as NortonLifeLock support |
| Brand | NortonLifeLock | Impersonated brand (legitimate company; not attacker-controlled) |
| Invoice ID | INV-54024698 | Fabricated invoice reference used in lure |
| Amount | $440.90 | Fabricated charge amount used in lure |
| Relay IP | 209.85.161.53 | Google relay (initial hop, DMARC pass) |
| Relay host | esa4.hc3244-53.iphmx[.]com | Cisco IronPort ESA intermediate relay |
| Relay IP | 139.138.34.192 | Cisco IronPort ESA relay IP |
| Attack | What happened |
|---|---|
| Gateway-Rewritten Links Flagged Malicious Inside a Law Firm Email With No DKIM | A professional email with legal contract language arrived from a long-established law firm domain with no DKIM signature and DMARC p=none. |
| The Invoice Attachment Was Empty. The Attack Was Not. | A past-due invoice email from a legitimate IT services provider passed SPF, DKIM, and DMARC via Amazon SES, carried a zero-byte PDF attachment. |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It | A canceled PayPal invoice for $50 arrived with perfect SPF, DKIM, and DMARC authentication because PayPal's own infrastructure sent it. |
| The Graduation Sash Invoice That Every Security Check Approved | A $3,645 invoice for 55 custom graduation sashes arrived at a school district, sent through Shopify's legitimate email infrastructure. |