This rule targets brand impersonation, specifically focusing on phishing attacks that impersonate ADP, a well-known payroll provider. These attacks are most prevalent during the U.S. tax season (Q1), when malicious actors exploit the urgency and importance of payroll-related communications to deceive victims into divulging sensitive information, such as credentials. The detection logic for these impersonation attempts leverages email header analysis and sender identity verification methods to establish whether an incoming email is posing as an ADP communication. The conditions checked include the display names of the sender, ensuring they match known ADP-related addresses such as 'RS-Plan-Admin@adp.com' and 'SecurityServices_NoReply@adp.com'. Importantly, the rule also verifies that the sender's root domain does not belong to ADP or its affiliated domains, effectively helping to filter out legitimate communications from ADP itself. Additionally, the sender’s actual email (user part) must not be among the known recipient emails for the targeted users, further refining the detection of potential phishing attempts. The combination of these checks aims to protect users from falling victim to credential phishing attacks that utilize social engineering tactics to impersonate trusted brands like ADP.