TA4903 [1] [2] [3] is a threat actor known for conducting high-volume email campaigns globally, primarily targeting US organizations to steal corporate credentials and engage in business email compromise (BEC) activities.


TA4903, initially spoofing federal US government entities such as the US Department of Transportation, the US Department of Agriculture [2], and the US Small Business Administration [2], has evolved in tactics by using PDF attachments with embedded links or QR codes leading to phishing websites [3]. Recently, the threat actor has shifted towards impersonating small businesses in addition to government entities. TA4903 references confidential documents and ACH payments in lure themes and has been observed utilizing the EvilProxy multifactor authentication (MFA) bypass toolkit [3]. Furthermore, TA4903 has expanded its distribution of BEC campaigns, targeting small and medium-sized businesses (SMBs) across various industries [3].


Organizations are advised to remain vigilant and implement robust security protocols to defend against these evolving threats posed by TA4903. Impersonation of government entities and small businesses, utilization of phishing websites [3], and the use of the EvilProxy MFA bypass toolkit are key tactics to be aware of. Mitigations should include employee training, email authentication protocols, and monitoring for suspicious activity. As TA4903 continues to adapt its tactics, organizations must stay proactive in their cybersecurity measures to protect against potential breaches and data loss.


[1] https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids
[2] https://cyber.vumetric.com/security-news/2024/03/06/hackers-impersonate-u-s-government-agencies-in-bec-attacks/
[3] https://www.infosecurity-magazine.com/news/ta4903s-phishing-target-us-entities/