TA4903 Phishing Campaigns Evolve, Targets US Government and SMBs


“The TA4903 group has been observed engaging in extensive spoofing of both US government agencies and private businesses across various industries. While primarily targeting organizations within the United States, TA4903 occasionally extends its reach globally through high-volume email campaigns. The overarching objective of these campaigns, as reported by Proofpoint in a new advisory published today, is the theft of corporate credentials, infiltration of mailboxes and subsequent business email compromise (BEC) activities” (Info Security Magazine, 2024).

Proofpoint began seeing campaigns spoofing US federal entities in December of 2021. These campaigns, later attributed to TA4903, initially posed as the US Department of Labor before moving through other government departments in the following years. Proofpoint highlighted some notable activity in mid-2023 through 2024, where there was a surge in credential phishing and fraud campaigns orchestrated by TA4903. These campaigns targeted small and medium-sized businesses across diverse industries including construction, manufacturing, energy, finance, and food and beverage.

Security Officer Comments:
TA4903 is known to employ PDF attachments containing embedded links or QR codes, which lead to government branded phishing websites. In 2023, Proofpoint observed TA4903 adopting new tactics, including using lure themes referencing confidential documents and ACH payments. Notably, the actor expanded its activities by utilizing HTML attachments or zipped HTML attachments, indicative of a significant shift in its approach.

The group is also known to leverage EvilProxy, a reverse proxy multifactor authentication bypass tool. Lately however, the group has been seen carrying our wide spread BEC campaigns, an interesting departure from their typical email lures which used benign messages to trick victims.

Proofpoint researchers have conducted extensive analysis to attribute the threat activity to TA4903. The actor’s consistent attack patterns, including domain construction, email lure content and hosting providers, facilitated this attribution. “The actor’s recent BEC campaigns that move away from government spoofing and instead purport to be from small and medium-sized businesses have become more frequent,” Proofpoint wrote.

Proofpoint says these campaigns are deploying at a faster rate than previously observed government spoofing and other credential theft campaigns they have leveraged in the past. It is unclear if “the actor’s techniques have shifted as a result of the efficacy of such campaigns, or it is just a temporary change in the overall TTPs.”

Suggested Corrections:
According to the Proofpoint advisory, organizations must remain vigilant and implement robust security protocols to thwart such threats effectively. A list of indicators of compromise (IoC) is available in the technical write-up.