TOAD , or telephone-oriented attack delivery, is now beating gateways by delivering only a phone number in phishing emails that bypass secure email filters. Researchers published an analysis of roughly 5,000 email-based threat detections that bypassed secure email gateways across multiple enterprise environments between December 2025 and now.
The study found TOAD accounted for nearly 28% of gateway-bypassing detections, with attackers employing a multilayered approach that often included QR codes, fake billing notifications, and prompts to call a number to obtain payment or access. It’s described as a deceptively simple attack: the target receives a fake billing notification impersonating an entity like PayPal, and the phone number is the sole contact—the payload that enables credential theft or remote access.
According to StrongestLayer, TOAD bypasses every email security architecture because the payload is indistinguishable from legitimate business contact, and the dataset shows a 130% increase in evasion combinations compared with the previous period.