Ddos 
Proofpoint Threat Research has identified a new financially motivated business email compromise (BEC) actor, designated TA2900, who is orchestrating rental payment fraud campaigns across France and occasionally Canada. This newly documented threat actor leverages highly convincing French-language emails to deceive victims into sending rental payments to attacker-controlled bank accounts.
TA2900’s campaigns typically impersonate rental agencies, claiming that a tenant’s rental payment has not been received. The fraudulent emails urge immediate payment and inform the recipient that the rental company’s bank account details have changed, providing a new International Bank Account Number (IBAN) supposedly for future transactions.
Proofpoint researchers note, “messages state that the rental company’s bank account details have changed and instruct the recipient to send their next rent payment to a new account using the IBAN details provided by the attacker.”
The malicious tactics include:
- Embedding IBAN numbers directly within the email or in attached PDFs.
- Requesting replies to freemail addresses (e.g., Gmail, Outlook) to exchange payment evidence or authorization for automatic payments.
- Rotating bank accounts after two to three campaigns to avoid detection, with almost two dozen IBAN numbers observed across over 50 campaigns to date.
In earlier campaigns, TA2900 often included PDF attachments bearing legitimate-looking logos and phrases such as:
- “Gestion locative de bien immobilier” (Rental property management)
- “Garantie des loyers” (Rent guarantee)
- “Gestion immobilier comptabilité” (Real estate management accounting)
However, since late 2024, the use of PDF attachments has declined. Proofpoint suggests that this adaptation could be part of the actor’s effort to streamline attacks and minimize forensic footprints.
Interestingly, researchers speculate that “the emails are written with the help of generative AI,” although this remains unconfirmed.
The majority of TA2900’s campaigns are launched from compromised mailboxes—primarily belonging to educational institutions worldwide. Emails typically feature generic French subject lines like “Loyer” (Rent) or “Nouveau RIB” (New bank account details).
Proofpoint assesses, “some of the compromised education accounts used to send campaigns are obtained through previous credential phishing or keylogger malware campaigns.”
These opportunistically hijacked accounts lend an additional layer of legitimacy, helping phishing messages bypass email security filters and victim suspicion.
While the exact location of TA2900 remains unknown, their fluency with French banking norms and the targeting of French-language rental markets suggest an actor highly knowledgeable about France’s rental ecosystem. Yet Proofpoint notes, “the observed language in email messages could be generated by a language translation application,” indicating that the perpetrators might not be native French speakers.
In all cases, Proofpoint concludes with high confidence that “the objective of TA2900 is financial theft,” specifically exploiting victims’ trust in routine financial operations like rent payments.
Donate