Brand impersonation: ADP
Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)
Sublime rule (View on GitHub)
1name: "Brand impersonation: ADP"
2description: |
3 Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)
4references:
5 - "https://www.align.com/blog/tax-related-phishing-scam-targets-adp-users"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and sender.display_name in~ ('RS-Plan-Admin@adp.com', 'ADP', 'SecurityServices_NoReply@adp.com')
11 and sender.email.domain.root_domain not in~ ('adp.com', 'adpsurveys.com','adp.com.br')
12 and sender.email.email not in $recipient_emails
13attack_types:
14 - "Credential Phishing"
15tactics_and_techniques:
16 - "Impersonation: Brand"
17 - "Social engineering"
18detection_methods:
19 - "Header analysis"
20 - "Sender analysis"
21id: "bb9cf46b-188e-58f5-996e-b35caf2423a2"