TOAD Attacks: Weaponising Legitimate Zoom Infrastructure

Imagine receiving a meeting invitation from a legitimate @zoom.us email address that turns out to be a phishing invitation. This is the new reality of Telephone-Oriented Attack Delivery (TOAD) as researched by Prophet.ai in January 2026. By merging a real digital invitation with a fraudulent phone-based “support” interaction, cybercriminals are successfully hijacking corporate accounts through the very tools we use to stay connected.

What is the Attack

1. The Hook: Attackers use a real Zoom account to send a “Meeting Invitation” or “Webinar Registration” to the victim. The email is generated by Zoom’s actual servers; it passes all technical checks (SPF, DKIM, DMARC).

2. The Social Engineering: The invitation contains a “Support” phone number in the description, often claiming there is a problem with the user’s account or a pending “unauthorized” charge that needs to be cancelled.

3. The TOAD Element: The victim calls the number and speaks to a fake agent. This agent guides the victim to Zoom’s legitimate device pairing page (zoom.us/pair).

4. The Payload: The attacker provides a code for the victim to enter on the legitimate Zoom page. This action links the attacker’s device to the victim’s corporate Zoom account, giving the criminal full access to meetings, recordings, and contacts.

How to Protect Your Organization

1. Employee Awareness: Remind employees that legitimate Zoom support will never ask you to call a number found within a meeting invite to “fix” an account issue. Use only official support portals.

2. Suspicious Invites: Employees should immediately report unexpected meeting invites from unknown senders if they include a phone number for “cancellation” or “billing.”

3. Restrict Device Pairing: If your organization does not use Zoom Room hardware or specific pairing features, administrators should disable the “Device Pairing” functionality in the Zoom Admin Portal.

4. Enforce Strong MFA: Ensure that Multi-Factor Authentication (MFA) is required for all logins.

5. Monitor for Anomalous Sign-ins: Set up alerts for logins or device registrations originating from unusual geographic locations or unrecognized IP ranges.