TA4903 phishing campaigns evolve and target the US government


The TA4903 group has been observed engaging in large-scale impersonation of U.S. government agencies and private companies across various industries.

While primarily targeting organizations in the United States, TA4903 occasionally extends its reach globally through high-volume email campaigns. The overarching goal of these campaigns, as Proofpoint reports in a new advisory released today, is the theft of company credentials, infiltration of mailboxes, and subsequent email compromise activities. professional (BEC).

Starting in December 2021, Proofpoint began observing a series of campaigns aimed at spoofing U.S. federal government entities. These campaigns, later attributed to TA4903, first impersonated the U.S. Department of Labor before impersonating other government departments in subsequent years.

Notably, between mid-2023 and 2024, TA4903 saw a surge in phishing and credential fraud campaigns, targeting small and medium-sized businesses (SMEs) across various industries such as construction, manufacturing, energy, finance, food and beverage.

THE operating mode of TA4903 involves the use of various tactics, techniques and procedures (TTP) to execute its operations. For example, the actor is known to use PDF attachments containing embedded links or QR codes leading to government-branded phishing websites.

Learn about similar techniques: PDF malware on the rise, used to spread WikiLoader, Ursnif and DarkGate

In 2023, Proofpoint observed TA4903 adopting new tactics, including using decoy themes referencing confidential documents and ACH payments. Notably, the actor has expanded its activities using HTML attachments or compressed HTML attachments, indicating a significant change in its approach.

The evolution of the threat actor has also included the deployment of MalProxya reverse proxy multi-factor authentication (MFA) bypass toolkit, although its usage declined later in 2023. Additionally, TA4903 ventured into wider distribution of BEC campaigns, moving away from its typical email lures and using innocuous messages to fool recipients.

Proofpoint researchers conducted an in-depth analysis to attribute threat activity to TA4903. The actor’s consistent attack patterns, including domain building, email luring content, and hosting providers, facilitated this attribution.

“The actor’s recent BEC campaigns, which move away from government impersonation and instead claim to be from small and medium-sized businesses, have become more frequent,” Proofpoint wrote.

“These campaigns are being observed at a higher operational tempo than previously observed government spoofing or other credential theft campaigns. It is possible that actors’ techniques have changed due to the effectiveness of such campaigns, or that this is simply a temporary change in overall TTPs.

According to Proofpoint advisory, organizations must remain vigilant and implement robust security protocols to effectively thwart these threats. A list of indicators of compromise (IoC) is available in the technical notice.

Leave a comment