Cybersecurity intelligence and analysis company GreyNoise has reported that they have seen a sharp spike in login scanning activity targeting Palo Alto Networks’ PAN-OS GlobalProtect portals, suggesting a planned, sustained effort to test network defenses and potentially infiltrate organizations. A few days after GreyNoise shared this intelligence, Palo Alto Networks confirmed that they have also observed a surge in suspicious login scanning activity.
GlobalProtect is a high-value target for cybercriminal efforts because it enables organizations to extend firewall protection to remote users and maintain consistent security policies and measures across the organization. The secure remote access afforded by the portal bolsters threat prevention and provides visibility and insight into network traffic, offering a range of benefits to organizations. Unfortunately, these benefits can become risks if threat actors are able to successfully compromise GlobalProtect portals.
Timeline and Scale of the Reconnaissance Activity
The observed spike started on March 17th, 2025, according to GreyNoise’s scans, and was sustained until March 26th, when it declined sharply. This activity peaked at almost 20,000 unique IP addresses per day attempting to access GlobalProtect portals. In 30 days, the number of IPs attempting access neared 24,000. After the surge, activity did not quite return to the baseline from before, but dropped from around 20,000 unique IPs observed each day to under 5,000.
Behavioral Patterns and Indicators
Login scanning focused on PAN-OS GlobalProtect portals shows that massive volumes of unique IP addresses have been attempting to access these portals, potentially indicating malicious efforts to compromise networks. GreyNoise highlights that there has been a notable pattern of “attack and reconnaissance attempts against specific technologies” for around the past two years, and that these are often followed by the emergence of new vulnerabilities. The recent surge also coincided with a one-day spike in PAN-OS Crawler activity on March 26th.
The GlobalProtect login activity spike was largely coming from the United States (16,249 IPs) and Canada (5,823), with smaller numbers originating in Finland, the Netherlands, and Russia. The destination countries of the targeted systems are overwhelmingly in the United States (23,768), followed by the United Kingdom, Ireland, Russia, and Singapore.
Malicious Intent or Noise?
Of the nearly 24,000 IP addresses observed in this spike of login attempts, 23,800 were classified as suspicious, while only 154 were flagged as malicious. GreyNoise’s “suspicious” classification is identified as indicating “potential reconnaissance or pre-attack behavior,” being neither clearly malicious nor demonstrably benign. The “malicious” classification uses context from the tags associated with the activity based on previously seen IPs and malicious intent.
A staggering majority of the IPs being classified as suspicious means that the recent spike largely cannot be confidently attributed to malicious activity. However, there are always challenges with attributing actors and assessing the intent of login activity, as it is based on malicious tags assigned when IPs are observed taking certain actions. The tags associated with an IP can only offer so much insight into the actor behind the activity and their intent.
Reconnaissance as a Precursor to Attack
The kind of system reconnaissance that could be indicated by this spike in login scanning activity is often used by threat actors in advance of an attack. “This massive scanning campaign targeting Palo Alto Networks GlobalProtect portals follows a concerning pattern we’ve seen before - intensive reconnaissance preceding the discovery of new vulnerabilities,” says J Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext.
Historically, many attackers have been seen carrying out extensive reconnaissance of target networks and systems, especially in advanced persistent threat (APT) campaigns. Attackers may engage in pre-attack reconnaissance if they are looking to establish a long-term presence within an organization, exfiltrate data, compromise critical accounts and devices, disrupt operations, or a wide range of other goals. The more intelligence they have about the target systems, the more easily they can go unnoticed and evade security measures.
Examples of reconnaissance activities preceding catastrophic security incidents include the 2017 Equifax data breach, which exposed 147 million people’s personal information after a reconnaissance effort identified unpatched vulnerabilities to exploit, and the 2020 SolarWinds attack, in which state-backed actors performed reconnaissance to gain insight on the software supply chain and distribute malicious software updates without being detected. Attackers often rely on automation and botnets to carry out large-scale scans of target systems, lifting a significant amount of the burden off of the human attackers’ shoulders.
Defensive Measures and Recommendations
Organizations that employ exposed Palo Alto Networks systems are encouraged to review their activity logs from March for suspicious activity and consider carrying out a thorough threat hunt and investigation to search for signs that running systems may have been compromised. It is crucial to monitor external scanning behavior as well in order to identify anomalies like this surge in login scanning activity. It is also suggested that organizations implement controls like geo-fencing, multi-factor authentication, rate limiting, and behavioral baselines to protect against unauthorized access.
Ensuring that all software is kept up to date and patched whenever vulnerabilities are found is also a vital part of securing against activity like this. Bad actors “are likely trying to see who has missed the mark and ‘forgot’ to do the necessary basic actions needed to keep their organization safe,” according to Boris Cipot, Senior Security Engineer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.
Broader Implications for Enterprise Security
Far from an isolated event, this spike in login scanning activity is indicative of a larger trend of reconnaissance as a persistent background threat that all organizations should be aware of. Not many security solutions are designed to address covert reconnaissance efforts within an organization’s systems, and this step can lead to catastrophic events down the line, depending on what attackers are able to find out.
This incidence of increased activity also demonstrates the broader need for proactive threat hunting and automated alerting. Companies like GreyNoise play a vital role in early detection and threat intelligence, making them good resources for organizations to look to for guidance and information on emerging and evolving attack tactics. Organizations are encouraged to look to intelligence firms and follow best practices and industry standards for proactive, robust security against emerging and evolving threats.
Conclusion
Suspicious activity like the recently observed surge in GlobalProtect login attempts highlights the importance of organizations remaining vigilant for indicators of threat activity, even during the “quiet” phase that precedes an attack. Organizations should stay in the loop on threat intelligence and cybersecurity best practices and continue fostering collaboration between vendors, threat researchers, and defenders.
