Callback phishing (TOAD): the phone-number-only lure that bypasses every email filter

Callback phishing inverts the standard email-phishing payload model. The lure email contains no malicious URL, no malicious attachment, and nothing that an email-gateway content scanner can flag as suspicious. The lure contains a phone number, presented in the body of what looks like a routine invoice, subscription confirmation, or charge-dispute notification. The victim, alarmed by an unexpected charge or unfamiliar subscription, calls the phone number to dispute or cancel. The attacker, operating the phone number on the other end, then delivers the malicious payload through a social-engineering conversation that frequently ends with the victim installing a remote-access tool on their machine.

The pattern is structurally novel because every defensive layer the email-security industry built between 2010 and 2022 was oriented around scanning URLs and attachments for malicious content. A phone number in an email body is not a URL and is not an attachment; it is plain text. Email gateways have no meaningful way to evaluate whether a phone number is malicious because phone numbers in invoices, customer-service emails, and shipping confirmations are routine. The defender problem is that the malicious content lives entirely outside the email message in the subsequent phone conversation.[Proofpoint TOAD research 2022-2024 + Mandiant M-Trends 2024]

The Bazarcall (or BazaCall, also Bazaloader) campaign run by the Conti / TrickBot operators through 2020-2022 was the canonical demonstration of callback phishing at scale. The lure was an invoice or subscription-renewal email that referenced a small dollar amount (typically $50 to $200) for a software or streaming-service subscription the victim had never purchased, with a phone number to call for cancellation. Victims who called were walked through downloading a fake cancellation tool that was, in reality, the Bazaloader backdoor. The backdoor established persistent access that Conti subsequently used to deploy ransomware.

The Bazarcall operators ran the campaign as a high-volume pipeline. Independent estimates from Proofpoint and Microsoft place 2021-2022 daily lure volume in the hundreds of thousands of emails, with call-back conversion rates of approximately 0.5 to 1.5 percent and successful-payload-install rates of approximately 30 to 50 percent of callers. The per-victim ransomware deployment that followed was the high-cost terminal event in the chain.

The 2022 leak of Conti's internal chat logs (the so-called Conti leak) exposed the operational details of the Bazarcall pipeline, including the call-centre infrastructure, the script-library for callers, and the financial split with downstream ransomware affiliates. The leak was simultaneously a major boost to defender intelligence and a how-to manual for the next generation of operators. Multiple post-Conti groups (including Quantum, Royal, and several Black Basta affiliates) have run callback-phishing campaigns through 2023-2025 using techniques directly traceable to the leaked Conti playbooks.[Conti leak Feb 2022 + Proofpoint TOAD research 2022-2024 + Mandiant M-Trends 2024]

The phone-call branch is the part of the attack that defenders have least visibility into. A reconstructed transcript from public incident-response work suggests the following pattern. The caller hears a professional-sounding contact-centre answer with hold music and an interactive voice response menu. The script presented to the caller is consistent with a real subscription-cancellation flow. The caller is asked to verify their identity, told that the cancellation cannot be processed without their assistance, and walked through visiting a URL or downloading a cancellation tool. The tool is the malicious payload.

The social-engineering quality of the call branch has improved through 2023-2025 with the same voice-cloning and conversational-LLM technology that has driven the vishing surge (see /by-attack/vishing). Modern callback-phishing operators can run the call branch entirely autonomously through a conversational-AI agent that handles the script, manages the IVR, and walks the victim through the payload installation. The labour cost of running a callback campaign has dropped materially as a result, and the call-quality has improved enough that even alert callers report the experience as indistinguishable from a real customer-service call.

The post-payload pivot is typically rapid. The remote-access tool the victim installed gives the attacker access to the victim's machine and, depending on the victim's privilege level and the corporate environment, access to broader internal resources. Within hours the attacker has established persistence, enumerated the environment, and either deployed ransomware directly or sold the access to a ransomware affiliate. The handoff price for a corporate-network foothold sold to ransomware affiliates runs $5K to $50K in the underground market depending on the target organisation's annual revenue, the access depth obtained, and the speed of the handoff.[Proofpoint + Mandiant transcript reconstruction 2023-2025]

The ransomware-response line dominates because callback phishing terminates in ransomware deployment more often than other phishing vectors. Where the pipeline does not reach ransomware (caught at the pivot-containment stage), the per-event cost drops to approximately $400K.[IBM 2025 callback-vector cohort + Mandiant 2024 ransomware-handoff economics]

Post-Conti callback-phishing has been run as a service-layer attack by multiple ransomware affiliates. Quantum Locker (active 2022-2023, since rebranded multiple times) used callback as a primary initial-access mechanism. Royal Ransomware (active 2022-2024, now operating as BlackSuit) ran similar campaigns. Black Basta affiliates have used callback patterns through 2023-2025 with progressively more polished call-branch infrastructure.

The structural pattern across these groups is the separation between the callback operator (who runs the lure and call infrastructure) and the ransomware operator (who runs the downstream deployment). The handoff is transactional: the callback operator sells the established foothold to the ransomware affiliate for a fixed price, typically $5K to $50K depending on the victim profile, and the ransomware affiliate runs the extortion. This affiliate-economy structure means defender attribution is frequently muddled because the callback operator and the ransomware operator may be entirely separate organisations.

The defender implication is that disrupting callback phishing requires disrupting the affiliate economy as well as the technical infrastructure. CISA, FBI, and international law-enforcement partners have made progress on this through 2024-2025 with sanctions designations against several ransomware operators and takedowns of multiple affiliate-recruitment forums. The effect on the underground market has been to compress affiliate margins and slow the on-ramp for new operators, but the established players have largely persisted.[CISA + FBI ransomware advisory tracker 2024-2025 + Mandiant M-Trends 2025]

• All phishing attack vectors
• Vishing cost (related phone-channel pattern)
• AitM phishing cost
• BEC cost
• Phishing cost in healthcare (high-ransomware vertical)
• Abnormal Security cost (TOAD flagging)
• Cofense cost (callback modules)
• mdrcost.com
• edrcost.com (RAT-install detection)
• databreachcost.com