New ATHR Platform Automates AI-Driven Vishing Attacks to Steal Credentials
A new phishing platform blends AI and human operators
A cybercrime platform called ATHR is being marketed as a turnkey way to run fully automated voice phishing, or vishing, campaigns that combine email lures, phone-based social engineering and credential theft in a single package. According to researchers at cloud email security company Abnormal, the service is designed to carry out the full telephone-oriented attack delivery, or TOAD, chain with minimal effort from the operator.
The platform is advertised on underground forums for $4,000, plus a 10% commission on profits. Abnormal says ATHR can be used to steal login data for multiple major services, including Google, Microsoft and Coinbase, and at the time of its analysis it supported eight online services in total: Google, Microsoft, Coinbase, Binance, Gemini, Crypto.com, Yahoo and AOL.
Email lures lead victims into phone-based scams
ATHR is built to manage the attack from the first lure to the final data capture. The process begins with an email that is meant to pass both casual scrutiny and technical authentication checks. The messages are tailored to specific brands and targets, and the platform includes spoofing mechanisms intended to make the email appear as though it came from a trusted sender.
Abnormal says the lure is usually framed as a fake security alert or account notification, chosen because it is urgent enough to provoke a call but generic enough to avoid content-based filters.
“The lure is typically a fake security alert or account notification - something urgent enough to prompt a phone call but generic enough to avoid triggering content-based filters,” Abnormal notes in its report.
That phone call is where ATHR’s automation becomes most notable. When a victim dials the number included in the email, the call is routed through Asterisk and WebRTC to AI voice agents powered by prompts that direct the interaction.
AI agents handle the social engineering
Protect your privacy with Doppler VPN
3-day free trial. No registration. No logs.
The voice agents are set up to guide the target through a scripted security scenario, using preset prompts that shape tone, persona and behavior to resemble legitimate support staff. In Google-themed attacks, for example, the system imitates account recovery and verification procedures, with the goal of persuading the victim to provide a six-digit verification code.
That code is the key piece of information needed to take over the account.
ATHR does not rely solely on AI. The platform also offers the option to route calls to a human operator. But Abnormal says the AI option is what makes the system stand out, because it allows the social engineering phase to be automated rather than requiring a live scammer to stay on the line for each target.
The result is a platform that can run the whole attack chain with little manual intervention. ATHR’s dashboard gives operators control over email distribution, call handling and phishing operations, while also providing real-time target-level data and logs containing stolen information.
A more packaged version of TOAD attacks
Abnormal describes ATHR as a complete phishing and vishing attack generator. That framing matters because TOAD attacks have traditionally required attackers to assemble several pieces themselves: email infrastructure, calling systems, scripts, credential collection tools and a team capable of handling victims in real time.
ATHR collapses those steps into a single interface. Researchers warn that this reduces the technical barrier for would-be attackers and makes it possible for less experienced criminals to launch automated vishing campaigns without building their own infrastructure.
“The shift from a fragmented, manually intensive operation to a productized, largely automated one means TOAD attacks no longer require large teams or specialized infrastructure,” Abnormal warns.
That productization is what makes ATHR especially concerning. By blending human operators with AI voice agents, the platform gives attackers flexibility while removing much of the labor that once limited the scale of these scams. The email lure, the phone call, the scripted recovery flow and the final harvesting of credentials are all managed within the same system, creating a streamlined path from first contact to account compromise.
As AI tools become easier to deploy, ATHR shows how quickly those capabilities can be folded into criminal services. In this case, the technology is not just assisting phishing; it is helping automate the entire social engineering operation.
Sources: