Since August 2025, Unit 42 has tracked a series of highly sophisticated phishing campaigns targeting senior professionals by impersonating Palo Alto Networks talent acquisition staff. These attacks leverage scraped LinkedIn data to craft personalized lures, enhancing their effectiveness through detailed social engineering tactics.
The specific attack vector uses social engineering techniques to create a bureaucratic barrier regarding the candidate's curriculum vitae (CV). Attackers initially reach out posing as company representatives, sending emails that appear legitimate and establishing rapport with senior candidates. These initial contacts are designed to build trust before moving towards more deceptive steps.
The attackers then claim that a candidate’s resume failed to meet the applicant tracking system (ATS) requirements and offer to assist in bridging this gap for a fee. This fabricated scenario is crafted to create urgency, leading victims to comply with the attacker's offer of 'executive ATS alignment.' For example, they may imply that a review panel has already begun, instilling a sense of urgency.
The Unit 42 Incident Response team recommends several precautionary measures for individuals and organizations. These include verifying the sender’s domain by always checking the email suffix and requesting official communication through recognized channels to avoid falling victim to such scams. Interim guidance also advises against making any financial transactions initiated via unsolicited communications, ensuring that all interactions are conducted through established company protocols.
This threat highlights the critical need for vigilance in professional contexts where employees might be targeted with personalized phishing emails.