ATHR turns vishing into a productized SaaS — AI agents handle the calls

ATHR is a new underground platform that productizes telephone-oriented attack delivery (TOAD) end-to-end: email lure generation, brand-specific templates, sender spoofing, Asterisk/WebRTC call routing, and AI voice agents that social-engineer the victim through a fake account-recovery flow. Abnormal researchers found it sells for $4,000 plus a 10% revenue cut, and currently targets Google, Microsoft, Coinbase, Binance, Gemini, Crypto.com, Yahoo, and AOL. The objective in most flows is extracting a six-digit verification code to hijack the account.

What matters here isn’t the attack mechanics — vishing is old — it’s the collapse of the skill floor. Previous TOAD operations required a call center, scripts, infrastructure wiring, and operators who could hold a conversation. ATHR replaces all of that with prompts and a dashboard. A solo operator with no infrastructure can now run campaigns that previously needed a team, and the AI agent scales without fatigue or accent drift.

Detection on the inbound email is effectively dead: the lures carry no payload, pass authentication, and are customized per target. The defensive pivot Abnormal proposes is behavioral — model normal sender/recipient communication patterns across the org and flag anomalies like multiple recipients receiving similar phone-number lures in a short window. The signal moves from content to coordination.