Beyond the Link: How Threat Actors Weaponize VoIP Infrastructure for Sophisticated Phishing
While most cybersecurity defense strategies focus heavily on malicious URLs and file hashes, a more subtle—and highly effective—tactical shift is underway. Threat actors are increasingly moving away from traditional “click-based” phishing in favor of Telephone-Oriented Attack Delivery (TOAD). In this model, the primary payload isn’t a link, but a phone number embedded within a deceptive email, serving as a critical new Indicator of Compromise (IOC).
By directing victims to call attacker-controlled numbers, scammers move the interaction from an automated digital environment to a high-pressure, real-time social engineering session. This allows them to manipulate targets through voice, facilitating credential theft, unauthorized financial transfers, or guided malware installations with much higher success rates.
Recent research from Cisco Talos highlights that Voice over Internet Protocol (VoIP) services are the engine driving this evolution. Due to their low overhead, ease of automation via APIs, and rapid provisioning capabilities, VoIP infrastructure is being abused at an industrial scale. During a telemetry study conducted between late February and March 2026, a staggering 60% of the ten largest scam campaigns analyzed relied heavily on VoIP infrastructure.
The ecosystem is split between wholesalers (such as Twilio or Bandwidth), which supply bulk numbers to smaller entities, and retailers (like RingCentral), which provide services directly to end-users. However, the primary vector for mass fraud is Communications Platform-as-a-Service (CPaaS) providers. These platforms allow attackers to programmatically generate massive volumes of unique, globally routable numbers that can be passed seamlessly across the Public Switched Telephone Network (PSTN). Talos identified Sinch as one of the most frequently exploited providers in observed campaigns.

The Lifecycle of Disposable Telephony
To evade modern reputation-based security filters, attackers have mastered the art of “disposable” infrastructure. They don’t just use many numbers; they use them strategically to minimize their digital footprint.
In a deep dive into campaigns impersonating major brands like PayPal, Geek Squad, McAfee, and Norton LifeLock, Talos identified 1,652 unique phone numbers. The data reveals a highly transient lifecycle: only about 3.4% of these numbers were reused across consecutive days. Most numbers were active for a window of just two to six days, with a median lifespan of approximately 14 days.

This rapid turnover is supplemented by “cool-down” periods. Attackers will temporarily retire a number to let its reputation “settle” before reintroducing it, effectively staying one step ahead of blocklists that struggle to keep pace with such rapid infrastructure rotation.
Furthermore, attackers demonstrate high levels of operational maturity by reusing the same number across entirely different lures. A single number might be used in a “billing error” email for PayPal and a “subscription renewal” alert for Norton LifeLock. This suggests a centralized call center infrastructure capable of handling diverse social engineering scripts.
To bypass traditional email security gateways, attackers are also hiding these numbers within non-standard file formats. We are seeing an increase in numbers embedded within PDFs and HEIC (High Efficiency Image Container) files—the standard format for modern iOS devices. By using HEIC, attackers take advantage of the fact that many legacy security tools are not optimized to perform deep content inspection on high-efficiency mobile image formats.

Evolving the Defense: Telephony as an IOC
The implications for security operations are clear: we can no longer treat phone numbers as mere “metadata.” They must be elevated to the status of a primary Indicator of Compromise (IOC).
By clustering these phone numbers, researchers can map the underlying architecture of organized crime syndicates, uncovering links between seemingly disparate campaigns. This shift from tracking disposable email addresses to tracking more stable telephony infrastructure provides a much higher signal-to-noise ratio for defenders.
To combat this, security teams should prioritize the following:
- Integrated Reputation Systems: Implement real-time intelligence that incorporates telephony data alongside traditional URL and file hash reputation.
- Cross-Sector Collaboration: Increased intelligence sharing between CPaaS providers, traditional telecom operators, and cybersecurity researchers is vital to disrupt number provisioning at the source.
- Advanced Content Inspection: Ensure email security gateways are capable of inspecting modern image formats like HEIC for embedded text and phone numbers.
As threat actors continue to refine their use of VoIP, the battlefield is shifting from the inbox to the handset. For defenders, the key to victory lies in understanding the infrastructure that makes the call possible.