Egidio
Report · 2026

When antivirus isn't enough anymore

Today's phishing doesn't always look like a badly spelled email with a sketchy link. Two documented techniques specifically bypass automated defenses — one gets around two-factor authentication, the other slips past spam filters.

🕵️Post-authentication session theft (AiTM)

Rather than stealing a password, this technique intercepts the session right after the victim validates their two-factor code — the attacker positions themselves as an invisible intermediary between the victim and the real service. The result: two-factor authentication did happen, but it accomplished nothing. In October 2025 alone, Microsoft blocked more than 13 million malicious emails linked to a single one of these kits ("Tycoon 2FA"), used against Microsoft 365 accounts worldwide.

Microsoft Defender for Office 365, October 2025

☎️Telephone-oriented attack delivery (TOAD) phishing

An email with no link or attachment: just a number to call back about a suspicious invoice or a subscription to confirm. With no URL to scan or file to analyze, classic automated filters catch nothing — the scam plays out entirely on the phone, where a fake advisor walks the victim through installing remote-access software or handing over credentials. Research firm Trustwave measured a 140% rise in these campaigns between July and September 2024, with Microsoft, Norton, PayPal and DocuSign among the most impersonated brands.

Trustwave, 2024-2025

The common thread: bypassing automation, not attention

Neither technique exploits a technical flaw in the classic sense — they exploit a structural limit of automated detection tools, by removing the very element those tools know how to analyze (a link, an attachment). What's left is a human interaction built to look legitimate: a login page identical to the real one, or a reassuring voice on the phone. That's exactly the kind of pattern a multi-channel protection needs to learn to recognize rather than scan.

🔒 A callback number in a suspicious email, or a login page asking again for a code you already entered: two signals a classic filter can miss, but that an engine connecting the channels together can cross-reference. See how Medusa works.

Frequently asked questions

Does two-factor authentication still protect against phishing?

It's still useful against simple password theft, but not against an "adversary-in-the-middle" attack: the attacker intercepts the session right after the victim validates their code, so two-factor authentication has already happened — uselessly.

What is telephone-oriented attack delivery (TOAD) phishing?

An email with no link or attachment, just a phone number to call back for a credible reason (an invoice, a subscription). Once on the phone, a fake advisor walks the victim through installing software or handing over credentials.

Why do these techniques slip past automated filters?

Because they often contain neither a suspicious link nor a malicious attachment to scan — the scam plays out in human interaction, on the phone or on a page that perfectly mimics the real one.

Go further