sublimemediumRule

Brand impersonation: ADP

Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1598.003

initial-access

Detection Query

type.inbound
and sender.display_name in~ (
  'RS-Plan-Admin@adp.com',
  'ADP',
  'SecurityServices_NoReply@adp.com'
)
and sender.email.domain.root_domain not in~ (
  'adp.com',
  'adpsurveys.com',
  'adp.com.br'
)
and sender.email.email not in $recipient_emails

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://www.align.com/blog/tax-related-phishing-scam-targets-adp-users

Raw Content

name: "Brand impersonation: ADP"
description: |
  Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)
references:
  - "https://www.align.com/blog/tax-related-phishing-scam-targets-adp-users"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.display_name in~ (
    'RS-Plan-Admin@adp.com',
    'ADP',
    'SecurityServices_NoReply@adp.com'
  )
  and sender.email.domain.root_domain not in~ (
    'adp.com',
    'adpsurveys.com',
    'adp.com.br'
  )
  and sender.email.email not in $recipient_emails
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "bb9cf46b-188e-58f5-996e-b35caf2423a2"