TA4903

TA4903 is a financially motivated cybercriminal threat actor associated with both credential phishing and follow-on business email compromise (BEC). Proofpoint assesses with high confidence that the actor routinely conducts campaigns spoofing U.S. government entities to steal corporate credentials, primarily targeting U.S. organizations, while also conducting broader targeting globally. Activity later attributed to TA4903 has been observed since at least December 2021, with related government-impersonation activity dating to at least mid-2021 and broader credential phishing and BEC TTPs observable as far back as 2019. TA4903 has impersonated multiple U.S. government agencies, including the U.S. Departments of Labor, Housing and Urban Development, Transportation, Commerce, Agriculture, and the U.S. Small Business Administration. From mid-2023 through 2024, the actor also expanded to spoof small and medium-sized businesses across sectors including construction, manufacturing, energy, finance, healthcare, and food and beverage. The actor has also impersonated Microsoft, DocuSign, and Norton in device code phishing campaigns. Its phishing operations commonly use URLs, HTML attachments, ZIP archives containing HTML files, and multi-page PDF attachments with embedded links or QR codes leading to credential-harvesting sites, including spoofed Microsoft 365 login pages. TA4903 has used lure themes involving bid proposals, confidential documents, ACH payments, secure messages, CAPTCHA-themed social engineering, invoicing, remittance, and cyberattack notifications. In late 2023, the actor incorporated QR codes into USDA-themed phishing PDFs. Proofpoint observed TA4903 using the EvilProxy reverse proxy MFA bypass toolkit throughout 2023, although that use reportedly declined later in 2023 and had not been observed in 2024 at the time of reporting. Beginning in mid-2023, the actor also conducted broader BEC campaigns using supplier-spoofing lookalike domains and themes such as cyberattacks, payment changes, invoicing, and remittance, often without malicious links or attachments. Honeypot evidence showed stolen credentials being used to access a mailbox and search for payment-related terms, supporting assessment that credential theft serves as a precursor to invoice fraud, payroll redirection, and thread hijacking. In April 2026, TA4903 adopted device code phishing, distributing lures with PDF attachments and CAPTCHA-themed social engineering. These campaigns targeted small businesses and government entities and impersonated Microsoft and DocuSign using custom kits described as looking nearly identical to EvilTokens. Proofpoint documented TA4903 device code phishing activity as part of a broader rise in abuse of Microsoft OAuth device authorization flow. Consistent clustering traits reported for TA4903 include persistent registration of spoofed domains using government acronyms or vertical-specific branding, spelling variations, recurring hosting providers, linked domain registration patterns, consistent phishing kit design, and PDF metadata referencing "Edward Ambakederemo." No additional aliases or sub-groups were provided in the content beyond TA4903.