The email arrived looking like a routine bank security alert. Scotiabank branding. Interac e-Transfer language. A dollar amount ($3,000.00). A timestamp. A last-four account number. The exact template a real fraud notification would use.
Underneath the familiar formatting was one instruction: if you did not authorize this transfer, call 1-800-472-6[XXX].
There was no login link. No credential form. No malicious redirect chain. The entire attack lived in that phone number.
The sending address belonged to a domain registered in October 2015, hosted through GoDaddy infrastructure. SPF passed. DMARC passed. DKIM was absent, but compauth returned pass at reason 100. Microsoft 365 delivered the message with an SCL of 1, its lowest spam score tier.
Nothing in the authentication chain pointed to an obvious forgery. The message originated from a compromised small-business sender account, not from attacker-built infrastructure. When an attacker sends from a legitimate account on a decade-old domain, the reputation signals that gateways rely on are precisely what makes the message look trustworthy.
The X-SECURESERVER-ACCT header revealed the actual GoDaddy account identity behind the send, confirming the message was dispatched through that account's authenticated credentials. The sending infrastructure was not spoofed; it was abused. The compromised account gave the attacker a clean launch platform with real authentication.
The email included one attachment. The filename followed a voicemail notification template: v-mail_XXXXXXXX>XXXXXXXXX-WIA-XXXXXXXX mp3.eml. The file type listed in the email headers was application/html with a size of approximately 7.5 KB.
There was no audio. The file was an HTML document styled to resemble a voicemail player notification. When opened in a browser or email client, it rendered a page consistent with a banking alert interface and pointed to an external hosted URL through Microsoft Dynamics Marketing infrastructure.
This technique exploits a specific gap in how people process attachment previews. A filename ending in what appears to be a voicemail reference creates the expectation of audio content. Opening it instead renders interactive HTML. The gap between the expectation (a voicemail message) and the mechanism (a rendered web page) is the deception.
Automated scanning returned a clean verdict on the attachment. The HTML itself hosted no malware and carried no traditional payload. The attacker was not trying to execute code. The goal was to extend the social-engineering chain: the email creates fear of financial loss, and the attachment reinforces the banking notification context before the recipient calls the number.
See Your Risk: Calculate how many threats your SEG is missing
The number printed in the email body was framed as a Scotiabank fraud response line. It was not a verified Scotiabank contact. Geolocation checks placed the number in the US toll-free space, and it did not correlate with Scotiabank's published customer service numbers.
Callback phishing, sometimes called telephone-oriented attack delivery (TOAD), deliberately removes the technical indicators that security tools look for. There is no malicious URL to scan. There is no attachment with a dropper. There is no credential form for a proxy to intercept. The attacker's infrastructure is a phone line and a script. Technical controls that operate on network artifacts offer no visibility into what happens after the recipient dials.
The campaign targeted the CFO mailbox at a mid-size firm, with multiple variants of the same voicemail subject pattern delivered to the same inbox within the same hour. The targeting was deliberate. A CFO receiving a $3,000 unauthorized transfer alert at 3:49 AM ET has a clear, time-pressured reason to act before the start of the business day.
IRONSCALES Adaptive AI flagged this message at 60% confidence, citing email content language and community signals. The absence of a malicious link did not prevent detection. The behavioral pattern of a first-time external sender, a VIP target, branded financial urgency, and a phone number as the primary CTA formed a composite risk signal that matched known business email compromise and TOAD campaign profiles even when no individual technical indicator crossed a blocking threshold on its own.
The community signal component drew on prior resolutions of structurally similar incidents. TOAD attacks against finance executives using bank brand templates are a documented and repeating pattern. The Adaptive AI's confidence was not based on the attachment or any link verdict, both of which returned clean. It was based on what the message was asking the recipient to do.
Closing the detection gap that TOAD attacks exploit requires treating the phone number itself as a threat indicator, not a neutral piece of contact information.
Verify financial alerts through a channel you initiate. Bank fraud alerts should always be verified by calling the number on the back of your card or on the bank's official website. A phone number inside an unsolicited email is not a verified contact, regardless of the branding around it.
Flag first-time external senders targeting executives. The sending domain had no prior relationship with the recipient organization. A VIP-targeted, first-contact message with an attached notification and a financial urgency claim is a risk cluster that warrants quarantine or banner treatment before the recipient opens it.
Treat HTML attachments named as audio files as a deception signal. An email client that shows an MP3 reference but delivers an HTML MIME type is a mismatch that should trigger manual review.
The Verizon DBIR 2026 notes that social engineering attacks are responsible for a substantial share of financial fraud. MITRE ATT&CK T1566.001 covers spearphishing attachment delivery. CISA guidance on phishing consistently emphasizes out-of-band verification for financial requests. The Microsoft Digital Defense Report 2024 specifically identifies VIP-targeted financial fraud campaigns as a growing attack class, noting that callback phishing techniques are effective precisely because they move the attack off the network and onto a voice channel.
The lesson from this case is simple: when a bank alert gives you a phone number to call and nothing else to click, that is a reason for suspicion, not a reason to dial.
---
| Type | Indicator | Context |
|---|---|---|
| Phone | 1-800-472-6[XXX] | Attacker-controlled callback number, framed as Scotiabank fraud line; not a verified Scotiabank contact |
| Sender IP | 188.121.53.132 | GoDaddy secureserver.net relay, Strasbourg, FR; authorized for compromised sending domain |
| Attachment | v-mail_[ID]mp3.eml | HTML file (7,526 bytes) disguised as voicemail MP3; renders attacker notification page |
| Attack | What happened |
|---|---|
| A Fake Bitdefender Charge Showed Up on the Calendar, Not the Inbox | Attackers weaponized a Google Calendar .ics invite to deliver a fake Bitdefender subscription charge. |
| The Invoice That Never Existed: Geek Squad TOAD via a Blank-Extension JPEG | A throwaway Hotmail account delivered a fake $559.47 Geek Squad invoice as a JPEG with no file extension. |
| The PayPal Email That Wanted a Phone Call, Not a Click | A PayPal email landed spotless through Mimecast. |
| The Fireflies Meeting Recap That Never Happened: Dual-Brand Impersonation via Amazon SES | A phishing campaign combined Fireflies.ai meeting recap templates with Microsoft Teams branding to target a financial controller. |
| The B2B Content Marketing Email That Borrowed a Brand, a Relay Allow-List, and a Security Vendor's Own URL Wrapper | A polished B2B research report offer used SelectHub branding, passed through an allow-listed mail relay at SCL -1. |