2026-05-134 minmedium

Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team

Since August 2025, a sophisticated phishing campaign has targeted senior professionals by impersonating Palo Alto Networks recruiters. Attackers use scraped LinkedIn data to build rapport, then falsely claim the victim's resume failed an Applicant Tracking System (ATS), ultimately soliciting fees for fraudulent resume optimization services.

Conf:highAnalyzed:2026-03-25reports

Authors: Unit 42

ActorsPalo Alto Networks Recruitment Scam

Phishing Social Engineering Impersonation Scam

Source:Palo Alto Networks

IOCs · 3

domain
paloaltonetworks-careers[[.]]comLook-alike domain used by scammers to deceive victims.
email
paloaltonetworks@gmail[.]comAttacker email address used for initial outreach and impersonation.
email
recruiter.paloalnetworks@gmail[.]comAttacker email address used for initial outreach and impersonation.

Key Takeaways

Attackers are impersonating Palo Alto Networks recruiters to target senior-level professionals using scraped LinkedIn data.
The scam involves manufacturing a fake Applicant Tracking System (ATS) failure to create urgency and lower the victim's defenses.
Victims are pressured into paying fees ranging from $400 to $800 for fraudulent resume rewriting services.
Attackers use look-alike domains and free email providers (e.g., Gmail) while utilizing legitimate company logos to appear authentic.
The campaign may also involve malicious attachments disguised as 'ATS diagnostic reports' or 'Resume templates'.

Affected Systems

Senior-level professionals
Job seekers

Attack Chain

Attackers initiate contact via email, posing as Palo Alto Networks recruiters and using scraped LinkedIn data to personalize the message. Once rapport is established, they manufacture a crisis by claiming the candidate's resume failed an Applicant Tracking System (ATS) check. The attacker then introduces a third-party 'expert' who offers to rewrite the resume for a fee ranging from $400 to $800, creating artificial time pressure to force payment. The attackers may also attempt to compromise the victim's device by sending malicious attachments disguised as ATS diagnostic reports or resume templates.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — This is primarily an email-based social engineering and financial scam. EDR would only have visibility if the victim downloads and executes a malicious attachment. Network Visibility: Low — Traffic is likely standard HTTPS to webmail or LinkedIn, making network-level detection of the scam difficult without deep email gateway inspection. Detection Difficulty: Moderate — Detecting impersonation requires robust email filtering rules checking for look-alike domains and unauthorized use of corporate branding from free email providers.

Required Log Sources

Email Gateway Logs
Web Proxy Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Search email gateway logs for inbound emails from free providers (e.g., gmail.com) containing corporate recruiter keywords and company names in the display name.	Email Gateway Logs	Initial Access	Medium
Identify inbound emails containing attachments named 'ATS diagnostic reports' or 'Resume templates' originating from unverified or external domains.	Email Gateway Logs	Execution	Low

Control Gaps

Lack of strict DMARC/SPF enforcement on look-alike domains
Insufficient security awareness regarding recruitment scams

Key Behavioral Indicators

Emails from free providers claiming to be corporate recruiters
Requests for payment during recruitment
Attachments named 'ATS diagnostic reports'

False Positive Assessment

Recommendations

Immediate Mitigation

Block the identified IOCs (emails, domains, phone numbers) at the email gateway and web proxy.
Report the fraudulent LinkedIn profiles and email addresses to the respective service providers.

Infrastructure Hardening

Register defensive look-alike domains to prevent attacker use.
Ensure DMARC, SPF, and DKIM are strictly enforced for all corporate domains.

User Protection

Implement email warning banners for external senders.
Deploy endpoint protection to block execution of malicious attachments disguised as resumes or ATS reports.

Security Awareness

Educate employees and candidates that the company will never ask for payment during the recruitment process.
Train staff to verify recruiter identities via official corporate channels and treat any request for payment as an immediate red flag.

MITRE ATT&CK Mapping

T1566.001 - Phishing: Spearphishing Attachment
T1566.002 - Phishing: Spearphishing Link
T1589.003 - Gather Victim Identity Information: Employee Names

Additional IOCs

Other:
- phillipwalters006@gmail[.]com - Email address associated with the scam activity.
- posunrayi994@gmail[.]com - Email address associated with the scam activity.
- pelmaxx - Online handle associated with the threat actors.
- pellmax - Online handle associated with the threat actors.
- pelll_max - Online handle associated with the threat actors.
- +972 541234567 - Fake placeholder phone number associated with the activity.