A newly identified financially motivated threat actor, tracked as TA2900 by Proofpoint, has launched a series of business email compromise (BEC) campaigns targeting tenants in France and, to a lesser extent, Canada.
This cybercriminal group employs French-language emails with urgent rental payment themes, leveraging social engineering tactics to manipulate victims into redirecting rent payments to attacker-controlled bank accounts.
Modus Operandi and Technical Tactics
TA2900’s campaigns typically involve messages purporting to come from property management or rental agencies.
These emails claim that a recent rent installment was not received and instruct recipients to urgently transfer funds to a “new” bank account, referencing changes in banking details.
Attackers provide International Bank Account Numbers (IBANs)-which rotate frequently-to avoid detection and blacklisting.
According to the Report, Proofpoint researchers have detected almost two dozen unique IBANs used across more than 50 campaigns, with each account typically rotated after two or three uses.
The fraudulent IBANs are usually shared directly in the email body or included as an attachment.
In some instances, the email lacks banking details entirely, prompting recipients to reply to obtain the information.
The targeted bank accounts are primarily low-cost branches of major French banks, adding a facade of legitimacy.
Victims are also instructed to send evidence of payment and, in some cases, authorize automatic payment setups, all to attacker-controlled accounts.
Communication typically occurs via freemail accounts hosted on platforms such as Gmail, Outlook, or Yahoo, further obscuring the threat actor’s identity.
The phishing emails are often distributed from compromised mailboxes belonging to educational institutions across various regions, using generic subject lines like “Loyer” (Rent) or “Nouveau RIB” (New bank account identity statement).
Early versions of the campaign frequently included professionally designed PDF attachments featuring legitimate-seeming property management branding, though the use of such attachments has decreased since late 2024.
Some emails exhibit awkward phrasing and unusual constructions, suggesting possible assistance from generative AI or automated translation tools, though Proofpoint has not formally confirmed AI involvement.
Attribution and Impact
Proofpoint attributes TA2900’s campaigns with high confidence to financially motivated criminal activity.
While the precise location of the group remains undetermined, the attackers demonstrate knowledge of the French rental property ecosystem and use French-language resources to add authenticity.
The language and banking tactics create a convincing layer of legitimacy, increasing the likelihood of victims complying with payment requests.
Many of the compromised educational institution accounts leveraged by TA2900 are suspected to have been obtained via prior credential phishing or keylogger malware attacks.
This campaign highlights the persistent danger of social engineering, as threat actors exploit human emotions-particularly anxiety related to unpaid or overdue rent.
The urgency and fear driven by these communications are designed to elicit hasty, uncritical responses, bypassing recipients’ usual caution.
Proofpoint urges organizations and individuals to exercise skepticism toward any unsolicited messages demanding immediate financial action, especially those that incite strong emotional reactions.
Indicators of Compromise (IOCs)
| Indicator | Description | First Seen |
|---|---|---|
| bureaugestionetcomptabilite@outlook[.]fr | TA2900 Reply-to Email | 2024-07-20 |
| compta[.]gestionimmo@yahoo[.]com | TA2900 Reply-to Email | 2025-01-17 |
| comptable[.]gestion[.]locative3@gmail[.]com | TA2900 Reply-to Email | 2024-07-20 |
| comptable[.]gestion58@yahoo[.]com | TA2900 Reply-to Email | 2025-03-18 |
| gestion[.]locative[.]immo@outlook[.]fr | TA2900 Reply-to Email | 2024-07-29 |
| gestion[.]locative310@gmail[.]com | TA2900 Reply-to Email | 2024-10-12 |
| gestionimmo@mail[.]fr | TA2900 Reply-to Email | 2024-11-20 |
| gestionimmobilier060@gmail[.]com | TA2900 Reply-to Email | 2025-01-24 |
| gestionimmolocative862@gmail[.]com | TA2900 Reply-to Email | 2025-03-12 |
| gestionimolocative@gmail[.]com | TA2900 Reply-to Email | 2024-09-25 |
| infogestionlocative897@gmail[.]com | TA2900 Reply-to Email | 2024-11-20 |
| kaufmanbroad278@gmail[.]com | TA2900 Reply-to Email | 2025-01-24 |
| lgestion283@googlemail[.]com | TA2900 Reply-to Email | 2024-09-24 |
| Gestion_immo_loyer.@hotmail.com | TA2900 Reply-to Email | 2025-03-25 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
