The Zelle Confirmation That Couldn't Spell Its Own Name: Template Artifacts, Placeholder Leaks, and a TOAD Callback

The email said Zelle had sent a $450.00 payment. The confirmation number was ZL20251209P74829. The brand name in the header was spelled "Z elle" with a space that no legitimate notification would carry. And the greeting addressed the recipient by a placeholder email that belonged to a K-12 school district employee in another state.

There were no links to click. No attachments to open. The entire payload was a phone number.

A Template That Fell Apart Under Inspection

The message arrived from nijhumakter383747+5@gmail[.]com through SendGrid infrastructure at IP 134.128.77[.]216. SPF and DKIM passed for SendGrid because the email was genuinely sent through SendGrid's platform. DMARC failed for gmail[.]com because the header From domain did not match the authenticated sending domain. This is a textbook mismatch: a Gmail address displayed in the From field while a completely different ESP handled delivery.

The template carried multiple visible failures. The brand name "Z elle" had broken spacing, likely from a rendering issue in the attacker's template builder. The greeting included a visible placeholder, an email address belonging to a school district employee, left in brackets where a recipient name should have been. The Payment Summary section was duplicated, appearing twice in the HTML body. And the dates did not agree: the confirmation referenced December 9, but the email's sent date was December 15.

These artifacts are not incidental. They are the fingerprints of a mass-produced callback phishing campaign assembled from a template that was never quality-checked against real Zelle notifications.

The Phone Number Was the Weapon

The email contained no clickable links, no redirects, and no attachments. URL scanners had nothing to evaluate. Sandbox detonation had nothing to detonate. The only actionable element was a phone number: +1 855-408-4804.

This is TOAD (Telephone-Oriented Attack Delivery), a subset of vishing. The attacker's goal was not to steal credentials through a fake login page. It was to get the recipient to call. Once connected, a live operator or automated system would conduct the actual social engineering, extracting payment details, account credentials, or remote access under the pretext of resolving the fraudulent payment.

A SendGrid tracking pixel embedded in the HTML confirmed that the attacker was monitoring which recipients opened the email, providing intelligence on which targets were most likely to engage.

Why There Was Nothing for a Scanner to Catch

Themis evaluated the convergence of signals: DMARC failure on a From/ESP domain mismatch, a Gmail address routed through SendGrid, broken brand rendering, a visible placeholder email in the greeting, duplicated content blocks, and a phone number as the sole CTA with no supporting links or attachments.

No single artifact was the detection trigger. The DMARC failure alone might occur in legitimate transactional email. Template artifacts alone might be dismissed as a formatting issue. But the combination of authentication mismatch, brand rendering failures, template leaks, and a TOAD callback pattern created a behavioral fingerprint that content scanning could not replicate.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping