{
	"id": "153fa857-9b44-41ac-a280-12db69026fcb",
	"created_at": "2026-04-06T00:22:23.165238Z",
	"updated_at": "2026-04-10T13:13:00.28197Z",
	"deleted_at": null,
	"sha1_hash": "f2997af76aa58d86baa3fc1351881a53ef3db8ac",
	"title": "TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids  | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2299578,
	"plain_text": "TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing,\r\nBEC Bids  | Proofpoint US\r\nBy March 06, 2024 Selena Larson, Jake G. and Dusty Miller\r\nPublished: 2024-02-21 · Archived: 2026-04-02 11:45:05 UTC\r\nKey takeaways \r\nTA4903 is a unique threat actor that demonstrates at least two distinct objectives: (1) credential phishing and (2)\r\nbusiness email compromise (BEC).  \r\nTA4903 routinely conducts campaigns spoofing various U.S. government entities to steal corporate credentials. \r\nThe actor also spoofs organizations in various sectors including construction, finance, healthcare, food and beverage,\r\nand others.  \r\nThe campaign volumes range from hundreds of messages to tens of thousands of messages per campaign. \r\nThe messages typically target entities in the U.S., although additional global targeting has been observed. \r\nTA4903 has been observed using the EvilProxy MFA bypass tool.  \r\nIn late 2023, TA4903 began adopting QR codes in credential phishing campaigns.  \r\nOverview \r\nTA4903 is a financially motivated cybercriminal threat actor that spoofs both U.S. government entities and private\r\nbusinesses across many industries. The actor mostly targets organizations located in the United States, but occasionally those\r\nlocated globally, with high-volume email campaigns. Proofpoint assesses with high confidence the objectives of the\r\ncampaigns are to steal corporate credentials, infiltrate mailboxes, and conduct follow-on business email compromise (BEC)\r\nactivity. \r\nProofpoint began observing a series of campaigns spoofing federal U.S. government entities in December 2021. The\r\ncampaigns, which were subsequently attributed to TA4903, first masqueraded as the U.S. Department of Labor. In 2022\r\ncampaigns, the threat actors purported to be the U.S. Departments of Housing and Urban Development, Transportation, and\r\nCommerce. During 2023, the actor began to spoof the U.S. Department of Agriculture.  \r\nIn mid-2023 through 2024, Proofpoint observed an increase in credential phishing and fraud campaigns using different\r\nthemes from TA4903. The actor began spoofing various small and medium-sized businesses (SMBs) across various\r\nindustries including construction, manufacturing, energy, finance, food and beverage, and others. Proofpoint observed an\r\nincrease in the tempo of BEC themes as well, including using themes such as “cyberattacks” to prompt victims to provide\r\npayment and banking details.   \r\nMost credential phishing messages associated with this actor contain URLs or attachments leading to credential phishing\r\nwebsites. In some cases, including the government-themed campaigns, messages contain PDF attachments that contain\r\nembedded links or QR codes leading to websites that appear to be direct clones of the spoofed government agency.  \r\nBased on Proofpoint’s research and tactics, techniques, and procedures (TTPs) observed in open-source intelligence, activity\r\nrelated to TA4903’s impersonation of U.S. government entities goes back to at least mid-2021. TTPs associated with the\r\nactor’s broader credential phishing and BEC activities are observable as long ago as 2019. \r\nCampaign details \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nPage 1 of 8\n\nGovernment bid spoofing \r\nHistorically, Proofpoint mostly observed TA4903 conducting credential theft campaigns using PDF attachments leading to\r\nportals spoofing U.S. government entities, typically using bid proposal lures. In late 2023, TA4903 began spoofing the\r\nUSDA and began incorporating QR codes into their PDFs, a technique previously unobserved by this actor.  \r\nMessages may purport to be, for example: \r\n          From: U.S. Department of Agriculture \u003centry@ams-usda[.]com\u003e \r\n          Subject: Invitation To Bid \r\n          Attachment: usda2784748973bid.pdf \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nPage 2 of 8\n\nExample of one page of a multi-page PDF spoofing the USDA. The “Bid Now” button is hyperlinked to the same URL as\r\nthe QR code.  \r\nIn these campaigns, the PDF attachments are typically multiple pages long and have both embedded URLs and QR codes\r\nthat lead to government-branded phishing websites.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nPage 3 of 8\n\nExample credential phishing website operated by TA4903, designed to capture O365 and other email account credentials.  \r\nIn 2023, Proofpoint observed TA4903 spoof the U.S. Department of Transportation, the U.S. Small Business Administration\r\n(SBA), and the USDA using similar themes. \r\nO365 credential theft \r\nIn 2023, Proofpoint observed new tactics, techniques, and procedures from this actor including using lure themes\r\nreferencing confidential documents, ACH payments, and secure message lures, and use either URLs, HTML attachments, or\r\nzipped HTML attachments, which is a significant expansion in activity observed before 2023.  \r\nTypically, the actor uses actor-owned and operated domain infrastructure that spoofs various North American companies to\r\ndeliver email. Occasionally the actor will use freemail addresses, however, that is unusual. It is possible Proofpoint did not\r\npreviously observe this activity either because the actor was not using these themes with regularity, or the activity may have\r\nbeen occurring outside of Proofpoint visibility.  \r\nFor example, in late November 2023, Proofpoint observed the following messages: \r\n          From: Finance Dept. via Orga-Portal \u003cdonotreply@secureserver5[.]com\u003e \r\n          Subject: New Receipt from Finance Department \r\n          Attachment: 11-30Receipt.zip \r\nThese ZIP attachments contained HTML documents that contained URLs that redirected to a website spoofing a Microsoft\r\nO365 login page. This site was designed to steal username and password credentials. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nPage 4 of 8\n\nSpoofed Microsoft O365 landing portal.  \r\nTA4903 was observed using EvilProxy, a reverse proxy multifactor authentication bypass toolkit, throughout 2023, but its\r\nuse dropped off later in the year and it has not been observed yet in 2024. \r\nImposter / direct BEC cyberattack theme \r\nBeginning in mid-2023, Proofpoint began observing campaigns departing from its typical email lures but which aligned with\r\nthe BEC objective demonstrated by TA4903. The actor used themes such as “cyberattack” or “payment” themes and used\r\nactor-owned lookalike domains spoofing likely suppliers of organizations to send the BEC messages. The messages are\r\n\"benign\" in that they do not contain malicious URLs or attachments but feature sender and reply-to email addresses owned\r\nby the threat actor spoofing a legitimate entity.  These campaigns differed from previously observed BEC activity as it was\r\nbroadly distributed to many victims, not targeted follow-on activity. \r\nFor example, on 17 May 2023, TA4903 sent emails spoofing produce and manufacturing companies. Emails purported to\r\nalert the recipient that the sender organization had suffered a cyberattack and requested updated banking information. This\r\nwas the first time Proofpoint had observed TA4903 conducting a BEC supplier domain spoof attack using a cyberattack\r\ntheme, and it has been used multiple times since. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nPage 5 of 8\n\nExample cyberattack themed BEC email body copy. \r\nSo far in 2024, Proofpoint has observed multiple TA4903 campaigns conducting BEC activity using invoicing or remittance\r\nthemes.  \r\nLinks to follow-on BEC activity \r\nProofpoint researchers previously seeded researcher-owned credentials to one of the spoofed government bid portals in an\r\nattempt to view follow-on activity through an internal honeypot. This honeypot was designed to observe the behavior of\r\nphishing threat actors once they have obtained access to a compromised account using stolen credentials.   \r\nProofpoint researchers seeded credentials to one of the Department of Transportation-themed credential capture portals.\r\nWithin six days, the credentials were used to login to the Proofpoint-owned email account. The threat actor searched email\r\nhistory for keywords including “bank information,” “payment,” and “merchant.” Proofpoint assesses with high confidence\r\nthe actor was attempting to look for existing threads to conduct BEC activities such as invoice fraud or payroll redirect using\r\nthread hijacking techniques.  \r\nProofpoint has observed several instances of targeted BEC campaigns attempting to perform invoice fraud. These campaigns\r\nusually utilize lookalike domains and reply-to manipulation to deceive the recipients. Researchers believe with high\r\nconfidence that the themes and targets for these campaigns are created with the information gathered from accounts\r\ncompromised during prior credential phishing campaigns, typically targeting the original victim’s business partners and\r\nfinancial institutions. \r\nIt is likely that TA4903's credential phishing campaigns are precursors to follow-on BEC activity, using information stolen\r\nfrom compromised accounts to identify possible targets, create likely personas, and craft email lures. \r\nActor attribution \r\nTA4903 is a financially motivated cybercriminal actor with an initial objective of stealing corporate credentials and likely\r\nfollow-on objectives of conducting BEC. Proofpoint clustered this threat activity based on the following characteristics: \r\nThe government-related domain and sender emails are similar in construction, typically using “bids” and the\r\ngovernment agency acronyms in the domain names.  \r\nAdditional spoofed domains typically include entities from verticals including construction, energy, manufacturing,\r\nfinance, and others. These domains typically include spelling errors, for example being one letter off of the legitimate\r\ndomain or include extraneous letters like “llc”.  \r\nThe threat actor uses consistent email lure and PDF content, and while the specific department changes between\r\ngovernment-themed campaigns, the lure themes and PDFs are consistent in their design.  \r\nPDF documents often have consistent metadata traits, such as the author name, Edward Ambakederemo. \r\nThe credential capture webpages use a consistent phishing kit with minimal modifications. \r\nThe actor uses the same hosting providers and for most of the activity Proofpoint has observed. \r\nInformation used in domain registration has identifiable traits or is otherwise directly linked to infrastructure\r\npreviously known to be associated with TA4903. \r\nConclusion \r\nTA4903 is a persistent, financially motivated threat actor that generally targets organizations in the U.S. with high-volume\r\nemail campaigns. Proofpoint assesses with high confidence that TA4903 activity leads to BEC objectives following their\r\ninitial credential harvesting activity. The actor frequently registers new domains relating to both government entities and\r\nprivate organizations in a variety of sectors, which it then uses for its credential phishing activity. Once access to a\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nPage 6 of 8\n\ncompromised mailbox is achieved, the actor will search for information relevant to payments, invoices, etc., and likely\r\nconduct follow-on activities such as sending additional emails related to payment fraud from the compromised inbox.  \r\nThe actor’s recent BEC campaigns that move away from government spoofing and instead purport to be from small and\r\nmedium-sized businesses have become more frequent. These campaigns are observed at a higher operational tempo than\r\npreviously observed government spoofing or other credential theft campaigns. It is possible the actor’s techniques have\r\nshifted as a result of the efficacy of such campaigns, or it is just a temporary change in the overall TTPs. \r\nAnalyst note: After publication of this report, researchers identified TA4903 return to using government-themed credential\r\nphishing campaigns. The high-volume campaign spoofed the Department of Labor and contained PDFs with links to a\r\ncredential phishing website. \r\nEmerging Threats signatures \r\nTA4903 domains are added weekly to the Emerging Threats PRO ruleset.  \r\nRule Name: ETPRO PHISHING TA4903 Domain in DNS Lookup \r\nExample indicators of compromise \r\nIndicator  Description \r\nFirst\r\nSeen \r\nd398eef8cf3a69553985c4fd592a4500b791392cf86d7593dbdbd46f8842a18d \r\nSHA256\r\nusda278474897849493bid.pdf \r\nNovember\r\n2023 \r\nhxxps://auth01-usda[.]com \r\nCredential Phishing Landing\r\nPage \r\nNovember\r\n2023 \r\nhxxp://tracking[.]tender-usdabids[.]com \r\nCredential Phishing Landing\r\nPage \r\nDecember\r\n2023 \r\ned4134de34fbc67c6a14c4a4d521e69b3cd2cb5e657b885bd2e8be0e45ad2bda  ams-usdabid48428492894.pdf \r\nDecember\r\n2023 \r\nShortsync[.]net  Credential Phishing Domain \r\nDecember\r\n2023 \r\n15b9ae1ab5763985af2e6fe0b22526d045666609ad31829b8926466599eeb284 \r\nSHA256  \r\n11-30Receipt.zip \r\nNovember\r\n2023 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nPage 7 of 8\n\norga-portal[.]com  Credential Phishing Domain \r\nDecember\r\n2023 \r\n6f776331d7c49ab6e403f84409c062db0b2027429e47e3533e8c6098c5f12156 \r\nSHA256  \r\nBid Instruction.pdf \r\nMarch\r\n2024 \r\nindex-dol[.]com \r\nCredential Phishing Landing\r\nPage \r\nMarch\r\n2024 \r\nhxxps://index-dolbid2024[.]com \r\nCredential Phishing Landing\r\nPage \r\nMarch\r\n2024 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids"
	],
	"report_names": [
		"ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids"
	],
	"threat_actors": [
		{
			"id": "945169fe-c7fd-4279-9edc-0f52d39131e5",
			"created_at": "2024-08-20T02:00:04.528459Z",
			"updated_at": "2026-04-10T02:00:03.684992Z",
			"deleted_at": null,
			"main_name": "TA4903",
			"aliases": [],
			"source_name": "MISPGALAXY:TA4903",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434943,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2997af76aa58d86baa3fc1351881a53ef3db8ac.pdf",
		"text": "https://archive.orkl.eu/f2997af76aa58d86baa3fc1351881a53ef3db8ac.txt",
		"img": "https://archive.orkl.eu/f2997af76aa58d86baa3fc1351881a53ef3db8ac.jpg"
	}
}