Cisco Talos has documented a structural detection gap in how email security platforms and SIEMs handle phone numbers embedded in phishing lures. Threat actors running Telephone-Oriented Attack Delivery (TOAD) campaigns impersonate PayPal, Geek Squad, McAfee, and Norton LifeLock using rotating VoIP numbers with 14-day median persistence, a signal class that most organizations do not extract, track, or correlate as an IOC. This is a threat intelligence program gap, not a patchable vulnerability.