Brand impersonation: ADP

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)

Sublime rule (View on GitHub)

 1name: "Brand impersonation: ADP"
 2description: |
 3    Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)
 4references:
 5  - "https://www.align.com/blog/tax-related-phishing-scam-targets-adp-users"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and sender.display_name in~ (
11    'RS-Plan-Admin@adp.com',
12    'ADP',
13    'SecurityServices_NoReply@adp.com'
14  )
15  and sender.email.domain.root_domain not in~ (
16    'adp.com',
17    'adpsurveys.com',
18    'adp.com.br'
19  )
20  and sender.email.email not in $recipient_emails  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Impersonation: Brand"
25  - "Social engineering"
26detection_methods:
27  - "Header analysis"
28  - "Sender analysis"
29id: "bb9cf46b-188e-58f5-996e-b35caf2423a2"
to-top