On a Monday morning in March 2026, a calendar notification landed in the inbox of an employee at a mid-size professional services firm. Google Calendar had delivered it. The subject line was impersonal, almost robotic: "Hello customer 701b0eb48b1a is your recent order On 2026-03-16."
The body, though, told a very different story. It claimed the recipient's "Gϱϱk Squad Plan" had been renewed for four years, and USD 650.53 had been charged to their account. Below that, a tidy transaction summary listed a different total: USD 495.14. Two phone numbers were provided for "inquiries or adjustments." No links. No attachments. Just urgency, confusion, and a phone number.
This was a TOAD attack, and everything about it was engineered to make the recipient pick up the phone.
TOAD (Telephone-Oriented Attack Delivery) campaigns have surged in recent years. The FBI IC3 2024 report documented callback phishing as a growing vector within BEC and tech support fraud, with reported losses in the billions. What makes this variant stand out is not just that it used TOAD, but how deliberately it manufactured confusion.
The contradiction between USD 650.53 and USD 495.14 was not a mistake. It was the payload. A recipient who opens this email faces an immediate problem: which amount was actually charged? The only way to find out is to call. That instinct to resolve a billing discrepancy, especially one tied to a recognizable brand like Geek Squad, overrides the caution that might otherwise slow someone down.
The lure reinforced urgency at every level. Opaque transaction IDs (Client UID: 058507c6, Customer ID: 1f582704ea) gave the appearance of a real system. A "Membership Duration: 48 Months" line implied a long, expensive commitment. The sign-off listed a specific billing contact, a physical address in San Juan, Texas, and a copyright notice. Every detail was designed to make this feel like a legitimate corporate communication, one that demanded immediate action.
And the email offered exactly two ways to act: call (+1 828) 279-4074 or call 1 808 233-9167. Both numbers were attacker-controlled.
Behind the convincing facade, this campaign relied on three layered evasion techniques.
Unicode brand spoofing. The email referenced "Gϱϱk Squad," not "Geek Squad." The two characters replacing the letter "e" are Greek lowercase rho (ϱ, U+03F1). To a human reader scanning quickly, the difference is invisible. To a content filter running exact-string matching against known brand names, "Gϱϱk" does not match "Geek." This is a textbook application of MITRE ATT&CK T1036.005 (Masquerading: Match Legitimate Name or Location), adapted for email content rather than file names.
Google Calendar as delivery infrastructure. The attacker did not send a standard email. They created a Google Calendar event using a Google Workspace account on the throwaway domain crrcinc[.]org and invited the target as a guest. Google's infrastructure processed the event and delivered the notification email with a legitimate DKIM signature from google[.]com. The Sender header read calendar-notification@google[.]com. This is T1566.003 (Phishing via Service): weaponizing a trusted platform to deliver malicious content through its own notification pipeline.
Same-day disposable domain. WHOIS records for crrcinc[.]org show it was registered on March 16, 2026, the exact date the email was sent. Registrar: Cloudflare. No public registrant information, no web presence, no established mail reputation. The domain existed solely to host this campaign, a hallmark of T1585.001 (Establish Accounts). Because it was brand new, it had no negative reputation to trigger blocklists.
The combination was effective. Authentication results told the story: SPF returned "None" (the domain published no sender policy at all), DKIM passed (courtesy of Google's infrastructure), DMARC returned "None" (no policy published), and Microsoft's composite authentication passed with reason code 106. The email survived transit through Microsoft 365's Exchange Online Protection, which flagged it with SCL 5 (spam/phish confidence) but let it through to the mailbox. The Verizon DBIR 2024 notes that pretexting and social engineering attacks continue to succeed precisely because they exploit trust in legitimate services rather than relying on obviously malicious infrastructure.
The email reached the inbox, but it did not stay invisible. IRONSCALES Adaptive AI flagged the incident based on converging signals: a newly registered return path domain, visual brand impersonation patterns inconsistent with known Geek Squad sender infrastructure, and community-sourced threat intelligence from organizations that had already reported identical lures. The Themis engine classified the email as phishing with high confidence.
Without that detection layer, the attack had a clear path. No malicious URLs meant no URL sandbox detonation. No attachments meant no file hash matching. The email body was plain text wrapped in a calendar template. Traditional SEG defenses built around link scanning and attachment analysis had nothing to scan. The attacker designed the kill chain to bypass those controls entirely, funneling the entire threat through a phone call that would never touch the email security stack again.
Had the recipient dialed either number, the likely outcome was a live social engineering session: a fake support agent "verifying" identity with account credentials, escalating to remote desktop access, or redirecting a payment. The IBM Cost of a Data Breach 2024 report pegged the average cost of a social engineering breach at $4.77 million.
This campaign did not rely on technical sophistication. It relied on psychological precision. Three principles made it dangerous.
Homoglyph substitution defeats string matching. If your detection stack relies on exact brand-name matching to flag impersonation, Unicode substitution will bypass it. Effective defenses require visual similarity analysis, not just string comparison.
Calendar invites inherit sender trust. When an attacker sends a Google Calendar event, the notification email carries Google's DKIM signature. Security teams should treat calendar-based delivery as an independent threat vector, not assume it is benign because Google signed it.
Contradictory details are a feature, not a bug. Inconsistent billing amounts are not sloppy phishing. They are deliberate. The confusion they create is the mechanism that drives the victim to act. Training programs should teach employees that billing discrepancies in unsolicited emails are a red flag, not a reason to call the number in the email.
Organizations processing high volumes of inbound email should evaluate whether their current defenses can catch a message with no links, no attachments, a valid DKIM signature, and a brand name spelled in Unicode. If the answer is uncertain, that gap is already being exploited.
See Your Risk: Calculate how many threats your SEG is missing
---
### Indicators of Compromise
| Indicator | Type | Context |
|---|---|---|
| mary.morrisonh80u[@]crrcinc[.]org | Sender and Reply-To address | |
| crrcinc[.]org | Domain | Throwaway sender domain, registered 2026-03-16 |
| calendar-notification[@]google[.]com | Spoofed Sender header (Google Calendar) | |
| +1 (828) 279-4074 | Phone | Callback number in email body |
| +1 (808) 233-9167 | Phone | Secondary callback number in signature |
| 8bbc6c89b429 | Fake ID | Fabricated "Membership ID" |
| 058507c6 | Fake ID | Fabricated "Client UID" |
| 1f582704ea | Fake ID | Fabricated "Customer ID" |
| Gϱϱk Squad (U+03F1 rho substitution) | Unicode | Homoglyph brand impersonation |
| USD 650.53 / USD 495.14 | Lure content | Contradictory billing amounts |