The Fake PayPal Charge That Needed You to Read Your Own Login Code Out Loud

The email said Zoom. The charge said PayPal. The call-to-action was a phone number. And the one-time code in the body may have been real.

This is a dual-layer attack. Layer one is TOAD: the email exists solely to get the recipient to dial an attacker-controlled number. Layer two is OTP theft: the code in the email is likely a live authentication token the attacker generated by attempting to log in to the victim's actual account. If the recipient calls the number and reads the code to the "support agent," the attacker enters it and completes the login. The 10-minute expiry is not a design choice for the phishing template. It is the actual expiration window of the token.

A $989.95 Charge That Never Happened

The email arrived with a From header displaying "Zoom" and the address no-reply@zoom[.]us. The subject claimed a PayPal transaction of $989.95 USD. The greeting was "Hi Customer," with no personalization. The body presented a formatted table with sign-in details: date, browser, operating system, and location.

Below the table, a one-time code: 054652. "This code expires in 10 minutes."

Below the code, the instruction: call +1(805)500-6389 if you did not authorize this payment.

There was no link to PayPal's resolution center. No "click here to dispute" button. No URL pointing to any payment processor. For an email claiming a PayPal charge, the complete absence of any PayPal URL is itself a tell. The attacker needed the recipient on the phone, not on a website. Every element of the email was engineered to push the recipient toward that single phone number.

The OTP Relay: Turning the Victim Into the Authentication Factor

Standard vishing (callback phishing) gets the victim on the phone and talks them into handing over credentials or granting remote access. This campaign adds a second layer.

The one-time code 054652 with a 10-minute expiry is consistent with a real authentication token. The sequence: the attacker initiates a login attempt on the victim's actual account. The service generates a one-time code and sends it to the victim via SMS or authenticator app. The attacker then sends the phishing email containing that code, framing it as a "transaction verification" code that expires in 10 minutes.

When the victim calls +1(805)500-6389 and reads the code to the "support agent," the attacker enters it into the waiting login prompt. The victim just served as the human relay between the MFA challenge and the attacker's session.

This maps to MITRE ATT&CK T1598 (Phishing for Information). The email is not delivering a payload. It is extracting a specific, time-sensitive credential from the victim through social engineering. The phone channel is the exfiltration path.

The FBI's 2024 Internet Crime Report documented over $4.57 billion in BEC losses, with callback and hybrid phishing schemes increasingly cited as initial access vectors. OTP interception adds account takeover to the damage model.

Cross-Brand Confusion as a Deliberate Tactic

The From header said Zoom. The charge said PayPal. These are two different brands, and the mismatch is intentional.

The Resent-From header revealed the actual sending address: support@eaeldelicious[.]review. The Return-Path showed an SRS-rewritten address routing through smkmuh1skh.onmicrosoft[.]com. SPF failed for the intermediate relay IP 23.90.110.124. DKIM and ARC headers showed inconsistent resigned and forwarded authentication, a chain that had been tampered with or forwarded through infrastructure that broke the original signing.

The domain eaeldelicious[.]review was registered in December 2025 through Porkbun with Cloudflare nameservers and privacy-protected WHOIS (Private by Design, LLC). At the time of this email, the domain was in clientHold status, a registrar suspension typically triggered by abuse reports.

The attacker compensated for weak sending infrastructure by copying real Zoom content. The email footer included Zoom's actual headquarters address (55 Almaden Blvd, San Jose, CA 95113) and real toll-free number (1.888.799.9666). Most links pointed to legitimate Zoom pages. One suspicious URL pointed to us05web.zoom[.]us/terminate_unusual_login_help with a long token parameter. But the only action the email asked the recipient to take was to call the attacker's number. Everything else was set dressing.

This is MITRE ATT&CK T1656 (Impersonation) layered with T1566.002 (Phishing: Spearphishing Link). The impersonation of Zoom provided the visual trust layer. The phishing email delivered the social engineering payload through a voice channel rather than a URL.

See Your Risk: Calculate how many threats your SEG is missing

The Grammar Errors Automation Missed

Two errors in the email body are immediately visible to a human reader: "Your paid" instead of "You paid" and "If you didn't made this order" instead of "If you didn't make this order."

These are basic grammar mistakes from a non-native English speaker. But they matter because they represent a detection surface that automated tools largely ignore. Content-scanning engines parse for malicious URLs, known phishing keywords, and attachment signatures. Grammatical correctness is not a signal most systems evaluate. A human reviewer catching "Your paid" in a $989.95 charge notification from "Zoom" about a "PayPal" transaction would have three independent reasons to flag the message before any technical analysis.

The Signal That Caught It

IRONSCALES Adaptive AI flagged this email on a combination of behavioral signals that no single technical control evaluated:

Sender-domain mismatch. The From header claimed zoom[.]us, but the actual sending infrastructure traced to eaeldelicious[.]review through a Microsoft 365 tenant relay. That divergence between claimed identity and actual origin is a primary impersonation signal.

Authentication failure pattern. SPF failed. DKIM/ARC showed inconsistent authentication across relay hops. The email claimed to be from a major technology company but could not authenticate as one.

Cross-brand inconsistency. A Zoom-branded email claiming a PayPal charge with no PayPal links, directing to a phone number matching neither company's official support channels.

Phone-as-payload pattern. The email's sole call to action was a phone number. No credential form, no malicious attachment, no redirect chain. The vishing pattern, phone number as the only actionable element, matched known TOAD campaign profiles tracked across the IRONSCALES community.

The message was quarantined before the recipient called.

Indicators of Compromise

MITRE ATT&CK Mapping

What Defenders Should Watch For

Treat unsolicited one-time codes as compromise indicators. If an email contains an OTP you did not request, someone may be attempting to log in to your account. Do not call any number in the email. Go directly to the service's portal and check for active sessions. The code's 10-minute window is the attacker's window, not yours.

Flag cross-brand emails as high-risk. An email branded as one company claiming a charge from a different company with a phone number matching neither is not a billing error. It is a confusion tactic designed to prevent the recipient from knowing which official channel to verify against.

Recognize that phone numbers bypass every link-based defense. URL reputation, link scanning, sandbox detonation, Safe Links, and domain blocklists are all useless against a phone number. Detection requires behavioral analysis of content patterns, sender anomalies, and cross-brand inconsistencies.

Train users to catch grammar tells. "Your paid" and "didn't made" are errors that automated tools skip and human reviewers catch immediately. Basic grammar mistakes remain a reliable human-detectable indicator that the message was not authored by the organization it claims to represent.