← Back to Explore
sublimehighRule
Link: Apple App Store link to apps impersonating AI adveristing
Detects messages containing links to Apple App Store apps that impersonate popular AI services (OpenAI, ChatGPT, Meta, Gemini) and are categorized as advertising or management tools offered for free.
Detection Query
type.inbound
and any(filter(body.current_thread.links,
.href_url.domain.domain in ('apps.apple.com')
),
// testflight = <script name="schema:software-application" type="application/ld+json">
// apps.apple.com = <script id="software-application" type="application/ld+json">
any(html.xpath(ml.link_analysis(.).final_dom,
'//script[@id="software-application"][@type="application/ld+json"]'
).nodes,
// extract just the value of this node and parse it as json
any([
"openai",
"openal",
"open ai",
"open al",
"chatgpt",
"meta",
"gemini",
"gpt"
],
strings.icontains(strings.parse_json(regex.iextract(..raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["name"],
.
)
)
and regex.icontains(strings.parse_json(regex.iextract(.raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["name"],
'\b(?:suite|ads?|gpt|advert|manager?|campaigns?)'
)
and strings.parse_json(regex.iextract(.raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["offers"]["category"] == "free"
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Apple App Store link to apps impersonating AI adveristing"
description: "Detects messages containing links to Apple App Store apps that impersonate popular AI services (OpenAI, ChatGPT, Meta, Gemini) and are categorized as advertising or management tools offered for free."
type: "rule"
severity: "high"
source: |
type.inbound
and any(filter(body.current_thread.links,
.href_url.domain.domain in ('apps.apple.com')
),
// testflight = <script name="schema:software-application" type="application/ld+json">
// apps.apple.com = <script id="software-application" type="application/ld+json">
any(html.xpath(ml.link_analysis(.).final_dom,
'//script[@id="software-application"][@type="application/ld+json"]'
).nodes,
// extract just the value of this node and parse it as json
any([
"openai",
"openal",
"open ai",
"open al",
"chatgpt",
"meta",
"gemini",
"gpt"
],
strings.icontains(strings.parse_json(regex.iextract(..raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["name"],
.
)
)
and regex.icontains(strings.parse_json(regex.iextract(.raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["name"],
'\b(?:suite|ads?|gpt|advert|manager?|campaigns?)'
)
and strings.parse_json(regex.iextract(.raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["offers"]["category"] == "free"
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
detection_methods:
- "Content analysis"
- "URL analysis"
- "HTML analysis"
id: "19b556e6-6d08-533b-b42e-bd3fa1dee6ad"