The email said Zelle had sent a $450.00 payment. The confirmation number was ZL20251209P74829. The brand name in the header was spelled "Z elle" with a space that no legitimate notification would carry. And the greeting addressed the recipient by a placeholder email that belonged to a K-12 school district employee in another state.
There were no links to click. No attachments to open. The entire payload was a phone number.
The message arrived from nijhumakter383747+5@gmail[.]com through SendGrid infrastructure at IP 134.128.77[.]216. SPF and DKIM passed for SendGrid because the email was genuinely sent through SendGrid's platform. DMARC failed for gmail[.]com because the header From domain did not match the authenticated sending domain. This is a textbook mismatch: a Gmail address displayed in the From field while a completely different ESP handled delivery.
The template carried multiple visible failures. The brand name "Z elle" had broken spacing, likely from a rendering issue in the attacker's template builder. The greeting included a visible placeholder, an email address belonging to a school district employee, left in brackets where a recipient name should have been. The Payment Summary section was duplicated, appearing twice in the HTML body. And the dates did not agree: the confirmation referenced December 9, but the email's sent date was December 15.
These artifacts are not incidental. They are the fingerprints of a mass-produced callback phishing campaign assembled from a template that was never quality-checked against real Zelle notifications.
The email contained no clickable links, no redirects, and no attachments. URL scanners had nothing to evaluate. Sandbox detonation had nothing to detonate. The only actionable element was a phone number: +1 855-408-4804.
This is TOAD (Telephone-Oriented Attack Delivery), a subset of vishing. The attacker's goal was not to steal credentials through a fake login page. It was to get the recipient to call. Once connected, a live operator or automated system would conduct the actual social engineering, extracting payment details, account credentials, or remote access under the pretext of resolving the fraudulent payment.
A SendGrid tracking pixel embedded in the HTML confirmed that the attacker was monitoring which recipients opened the email, providing intelligence on which targets were most likely to engage.
Themis evaluated the convergence of signals: DMARC failure on a From/ESP domain mismatch, a Gmail address routed through SendGrid, broken brand rendering, a visible placeholder email in the greeting, duplicated content blocks, and a phone number as the sole CTA with no supporting links or attachments.
No single artifact was the detection trigger. The DMARC failure alone might occur in legitimate transactional email. Template artifacts alone might be dismissed as a formatting issue. But the combination of authentication mismatch, brand rendering failures, template leaks, and a TOAD callback pattern created a behavioral fingerprint that content scanning could not replicate.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Email | nijhumakter383747+5@gmail[.]com | Gmail address, display name "Zelle" |
| Sending IP | 134.128.77[.]216 | SendGrid infrastructure |
| DMARC | Fail for gmail.com | Header From/ESP domain mismatch |
| Brand Artifact | "Z elle" (broken spacing) | Template rendering failure |
| Placeholder Leak | Visible email address in greeting | Template variable not substituted |
| Duplicated HTML | Payment Summary block appears twice | Template assembly error |
| Date Mismatch | Confirmation: Dec 9, Sent: Dec 15 | Inconsistent template data |
| TOAD Number | +1 855-408-4804 | Callback phishing, sole CTA |
| Payment Claim | $450.00, confirmation ZL20251209P74829 | Fabricated transaction details |
| Tracking | SendGrid open-tracking pixel | Recipient surveillance |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Email delivery of social engineering payload via ESP |
| Phishing for Information | T1598 | TOAD callback designed to extract payment or credential data |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Zelle brand impersonation with fabricated payment confirmation |
| Attack | What happened |
|---|---|
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure | A Zoho Sign document request passed SPF, DKIM, DMARC, and ARC. |
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| SafeLinks Wrapped the Phishing URL With the Recipient's Name on It | Microsoft SafeLinks rewrote a phishing URL and embedded the recipient's email address into the redirect chain. |
| The Law Firm Name Looked Right Until You Checked the Unicode: Google Drive Debt Collection Phishing | A Google Drive sharing notification impersonated a major law firm using Cyrillic homoglyphs in the display name. |