Fake multi-actor 3-mail recruiter-to-hiring-manager-to-exec handoff chain lure — "Following up on the external recruiter introduction earlier this week, the hiring manager has handed off to the exec for sign-off on the candidate placement fee. Please process the wire transfer for the placement fee to the new payee within 5 days. Confidential, do not loop in finance" / "Per the prior recruiter-to-hiring-manager handoff thread, the exec has signed off — please remit the recruiter placement fee invoice to the new ACH details." Sender NOT on the canonical ATS / recruiter-platform / e-sign allowlist (greenhouse.io, lever.co, workable.com, smartrecruiters.com, ashbyhq.com, gem.com, workday.com, icims.com, jobvite.com, recruitee.com, breezy.hr, rippling.com, bamboohr.com, linkedin.com, indeed.com, glassdoor.com, hired.com, angel.co, wellfound.com, docusign.net, docusign.com, adobesign.com). Real recruiter placement-fee invoices flow through the AP-system with dual-control verbal verification through a known phone contact, never via a single inbound email chain demanding wire-redirect on a deadline. Distinct from R7 slow-burn-BEC (4-mail single-actor warm-up) and R8 ceo-meeting-invite-then-ask (calendar-pretext) — this signal is specifically the *3-actor handoff chain* primitive (Lead consensus C1: multi-actor handoff lends authority no single mail has; the *graph* of recruiter → hiring-manager → exec is the signal, not any individual mail). Source: Red-Team R8 multi-agent council S2 (social-engineering specialist), Lead consensus C1.

Fake multi-actor 3-mail recruiter-to-hiring-manager-to-exec handoff chain lure targeting hiring teams, recruiting coordinators, finance / AP staff, and exec-adjacent staff. The phish narrative unfolds as a 3-actor multi-mail chain over ~5 days: Day 1 = external-recruiter introduction ("we have a strong candidate for your role, the hiring manager has approved interview"); Day 3 = hiring-manager handoff ("recruiter intro confirmed, exec sign-off needed for placement fee"); Day 5 = exec sign-off ask with payment detail ("please process the wire transfer for the placement fee to the new payee within 5 days. Confidential — do not loop in finance"). The phish narrative arrives as: "Following up on the external recruiter introduction earlier this week, the hiring manager has handed off to the exec for sign-off on the candidate placement fee. Please process the wire transfer for the placement fee to the new payee within 5 days. Confidential — do not loop in finance," or "Per the prior recruiter-to-hiring-manager handoff thread, the exec has signed off on the candidate. Please remit the recruiter placement fee invoice to the new ACH details. As the hiring manager mentioned, this is time-sensitive — wire same-day. Multi-actor sign-off complete." Each individual mail is signal-free (no urgency, no auth-pretext, no obvious red flag); the *graph* is the signal — the 3-actor handoff lends authority no single mail has. Real recruiter placement-fee invoices flow through the AP-system with dual-control verbal verification through a known phone contact at the recruiting firm, never via a single inbound email chain demanding wire-redirect on a deadline. Sender NOT on the canonical ATS / recruiter-platform / e-sign allowlist (greenhouse.io, lever.co, workable.com, smartrecruiters.com, ashbyhq.com, gem.com, workday.com, icims.com, jobvite.com, recruitee.com, breezy.hr, rippling.com, bamboohr.com, linkedin.com, indeed.com, glassdoor.com, hired.com, angel.co, wellfound.com, docusign.net, docusign.com, adobesign.com). Distinct from R7 slow-burn-BEC (4-mail single-actor warm-up) and R8 ceo-meeting-invite-then-ask (calendar-pretext) — this signal is specifically the *3-actor handoff chain* primitive. Lead consensus C1 (Red-Team R8 multi-agent council): multi-actor handoff lends authority no single mail has; subsumes the 3 vectors (CEO-invite, recruiter-chain, multi-actor-handoff) under the calendar-authority + multi-actor BEC family. Fires when body references "recruiter-to/>>/->/→/-to-hiring-manager" / "external recruiter" / "recruiting partner" / "recruiter introduction" / "hiring manager (handoff/introduction/sign-off)" / multi-actor / "3-(mail/actor)" / "three-(mail/actor)" / "recruiter (placement/placement fee)" AND "handoff(s/to/chain)" / "hand-off" / "sign-off" / "hiring-manager handoff" / "exec(utive) sign-off" / "prior (recruiter/handoff)" / "handoff thread" / "multi-actor sign-off" AND wire(s/transfer/same-day/amount/invoice) / ACH / "placement fee" / "recruiter (placement) fee invoice" / "new (payee/ach/account/wire)" / "new ACH details" / "process (the) wire (transfer)" / "remit (to/the)" AND within N hours-days / same-day / 24-48 hours / 5 days / action required / time-sensitive / confidential(ly) / "do not (loop/cc/forward)" urgency. Excludes the canonical ATS / recruiter-platform / e-sign domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S2 (social-engineering specialist), Lead consensus C1 calendar-authority + multi-actor BEC.