Proofpoint Threat Research has identified a new financially motivated business email compromise (BEC) actor, designated TA2900, who is orchestrating rental payment fraud campaigns across France and occasionally Canada. This newly documented threat actor leverages highly convincing French-language emails to deceive victims into sending rental payments to attacker-controlled bank accounts.
TA2900βs campaigns typically impersonate rental agencies, claiming that a tenantβs rental payment has not been received. The fraudulent emails urge immediate payment and inform the recipient that the rental companyβs bank account details have changed, providing a new International Bank Account Number (IBAN) supposedly for future transactions.
Proofpoint researchers note, βmessages state that the rental companyβs bank account details have changed and instruct the recipient to send their next rent payment to a new account using the IBAN details provided by the attacker.β
The malicious tactics include:
Embedding IBAN numbers directly within the email or in attached PDFs.Requesting replies to freemail addresses (e.g., Gmail, Outlook) to exchange payment evidence or authorization for automatic payments.Rotating bank accounts after two to three campaigns to avoid detection, with almost two dozen IBAN numbers observed across over 50 campaigns to date.In earlier campaigns, TA2900 often included PDF attachments bearing legitimate-looking logos and phrases such as:
βGestion locative de bien immobilierβ (Rental property management)βGarantie des loyersβ (Rent guarantee)βGestion immobilier comptabilitΓ©β (Real estate management accounting)However, since late 2024, the use of PDF attachments has declined. Proofpoint suggests that this adaptation could be part of the actorβs effort to streamline attacks and minimize forensic footprints.
Interestingly, researchers speculate that βthe emails are written with the help of generative AI,β although this remains unconfirmed.
The majority of TA2900βs campaigns are launched from compromised mailboxesβprimarily belonging to educational institutions worldwide. Emails typically feature generic French subject lines like βLoyerβ (Rent) or βNouveau RIBβ (New bank account details).
Proofpoint assesses, βsome of the compromised education accounts used to send campaigns are obtained through previous credential phishing or keylogger malware campaigns.β
These opportunistically hijacked accounts lend an additional layer of legitimacy, helping phishing messages bypass email security filters and victim suspicion.
While the exact location of TA2900 remains unknown, their fluency with French banking norms and the targeting of French-language rental markets suggest an actor highly knowledgeable about Franceβs rental ecosystem. Yet Proofpoint notes, βthe observed language in email messages could be generated by a language translation application,β indicating that the perpetrators might not be native French speakers.
In all cases, Proofpoint concludes with high confidence that βthe objective of TA2900 is financial theft,β specifically exploiting victimsβ trust in routine financial operations like rent payments.