**ATHR** automates the entire Telephone-Oriented Attack Delivery (TOAD) process, from initial email lure to voice-based social engineering and credential harvesting. This end-to-end automation significantly lowers the technical bar for launching sophisticated vishing attacks. ### ATHR Attack Chain According to researchers at **Abnormal**, a cloud email security company, ATHR functions as a comprehensive phishing/vishing attack generator. It provides brand-specific email templates, per-target customization, and spoofing capabilities to convincingly impersonate trusted senders. Currently, ATHR supports eight online services: **Google**, **Microsoft**, **Coinbase**, **Binance**, **Gemini**, **Crypto.com**, **Yahoo**, and **AOL**. The attack sequence begins with a seemingly legitimate email designed to bypass initial scrutiny and even technical authentication checks. "The lure is typically a fake security alert or account notification - something urgent enough to prompt a phone call but generic enough to avoid triggering content-based filters," **Abnormal** noted in their recent report. Calling the provided phone number connects the victim through **Asterisk** and **WebRTC** to AI voice agents. These agents, driven by carefully designed scripts, guide the victim through the data theft process. The AI agents follow a structured script that simulates a security incident. In the case of **Google** accounts, the agents mimic the account recovery and verification process, using pre-set prompts to control their tone, approach, and behavior, emulating professional support staff.  **ATHR's AI agent script builder tool** *Source: Abnormal* The primary objective of this fabricated recovery process is to extract a six-digit verification code, granting the attacker unauthorized access to the victim's account. While ATHR offers the option to route calls to human operators, its AI agent capability is a key differentiator, enabling scalable and automated attacks. ATHR's dashboard provides operators with complete control over the entire attack process, including real-time data for each target. Through this panel, operators manage email distribution, handle calls, oversee phishing operations, monitor real-time outcomes, and access logs containing stolen data.  **ATHR main dashboard** *Source: Abnormal* **Abnormal** researchers emphasize that ATHR significantly reduces the manual effort required for operators, providing threat actors with an integrated platform to manage all stages of a TOAD attack without needing to configure individual components. This democratization allows less technically skilled attackers to deploy automated vishing attacks from start to finish. "The shift from a fragmented, manually intensive operation to a productized, largely automated one means TOAD attacks no longer require large teams or specialized infrastructure," **Abnormal** warns. With the proliferation of platforms like ATHR, researchers anticipate a surge in vishing attacks that are increasingly difficult to distinguish from legitimate communications. Defending against these attacks requires a different approach, as the lure emails often lack traditional indicators, are customized for authentication, and appear as valid notifications. However, detection is possible by analyzing communication patterns between senders and recipients and identifying instances where similar lures containing phone numbers are sent to an organization within a short timeframe. **Abnormal** researchers suggest that modeling normal communication behavior across an organization can help AI-powered detection systems flag anomalies before targets make a call.