Targeted Recruitment Phishing Campaign Impersonating Palo Alto Networks

Since August 2025, Unit 42 has been tracking a sophisticated series of phishing campaigns where attackers impersonate Palo Alto Networks talent acquisition staff. These campaigns specifically target senior-level professionals by leveraging scraped LinkedIn data to create highly personalized and convincing lures. The primary goal of the scam is to exploit the professional ambitions of candidates by manufacturing bureaucratic barriers that can only be resolved through a paid service.

Severity: Moderate

Threat Details

1. Target Acquisition and Initial Outreach

• Targeting: The campaign focuses on senior-level professionals.
• Data Sourcing: Attackers use scraped LinkedIn data to craft personalized messages.
• Establishment of Rapport: Attackers pose as legitimate company representatives, often using flattering language and citing specific career achievements (e.g., “staggering 30X growth”) to build trust.
• Visual Deception: Phishing emails often include legitimate company logos in the signature block to appear authentic.

2. The “Manufactured Crisis” Lure

• The ATS Barrier: Attackers falsely claim that a candidate’s curriculum vitae (CV) failed to meet the requirements of the Applicant Tracking System (ATS).
• Artificial Scoring: To increase pressure, they provide a fake “ATS score” (e.g., a score of 39) and claim this puts the candidate at a disadvantage compared to others.
• Urgency: The “recruiter” often creates a high-pressure environment by claiming the “review panel” has already begun or that the position will be “wrapped up” within a very tight timeframe.

3. The Scam and Monetization

• The Hand-off: Once the “crisis” is established, the recruiter refers the victim to a third-party “CV expert” who is supposedly helping other successful candidates.
• Service Tiers: The “expert” offers various “positioning packages” to guarantee ATS alignment:
  • Executive ATS alignment: $400
  • Leadership positioning package: $600
  • End-to-end executive rewrite: $800
• Rapid Turnaround: The expert promises to deliver the updated CV within hours to meet the artificial review window.

Recommendations

1. Ensure emails come from @paloaltonetworks[.]com rather than look-alike domains (e.g., @paloaltonetworks-careers[.]com) or public Gmail accounts.
2. If initial contact occurs on LinkedIn, request that the conversation move to an official corporate email or the company’s internal applicant portal.
3. Treat any request for payment during recruitment as an immediate red flag; legitimate employers do not charge candidates.
4. Verify recruiters on official company websites or check their LinkedIn history for longevity and connections.
5. Do not download or open files labeled as “ATS diagnostic reports” or “Resume templates” from unverified sources, as these may contain malware.
6. Be skeptical of “manufactured crises,” such as claims of low ATS scores or “time-sensitive” review windows designed to force quick, unvetted financial decisions.
7. Block the IOCs at their respective controls.

IOCs:

Source:

• https://unit42.paloaltonetworks.com/phishing-attackers-pose-as-panw-recruiters/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.