Brand impersonation: ADP

calendar Jan 9, 2024  ยท
Share on: linkedin copy

Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)

Sublime rule (View on GitHub)

 1name: "Brand impersonation: ADP"
 2description: |
 3    Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)
 4references:
 5  - "https://www.align.com/blog/tax-related-phishing-scam-targets-adp-users"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and sender.display_name in~ ('RS-Plan-Admin@adp.com', 'ADP', 'SecurityServices_NoReply@adp.com')
11  and sender.email.domain.root_domain not in~ ('adp.com', 'adpsurveys.com','adp.com.br')
12  and sender.email.email not in $recipient_emails  
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Impersonation: Brand"
17  - "Social engineering"
18detection_methods:
19  - "Header analysis"
20  - "Sender analysis"
21id: "bb9cf46b-188e-58f5-996e-b35caf2423a2"
to-top