Since at least 2021, organizations in the US have faced targeted phishing and business email compromise (BEC) campaigns by a threat actor known as TA4903, as revealed by Proofpoint. The attacks aimed to harvest corporate credentials for BEC activities like invoice fraud or payroll redirect, with the threat actor frequently creating new domains spoofing government entities and private organizations across various sectors. Initially impersonating government agencies like the Department of Labor, the actor expanded to include Departments of Housing and Urban Development, Commerce, Transportation, Agriculture, and the Small Business Administration (SBA). In mid-2023, the threat actor shifted to spoofing small and medium-sized businesses (SMBs) and intensified BEC attacks, introducing new tactics such as QR codes in PDF attachments and using lure themes related to cyberattacks and payments. Additionally, they utilized freemail addresses and domains spoofing US entities to deliver phishing messages, demonstrating a continuous evolution in their tactics to deceive victims. Proofpoint observed the actor attempting to hijack existing email threads for BEC activities, indicating a persistent threat to organizations’ cybersecurity.
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.