Brand impersonation: OpenAI with payment issues

name: "Brand impersonation: OpenAI with payment issues"
description: "Detects messages impersonating OpenAI or ChatGPT with payment-related content such as subscription cancellation, payment failures, or billing updates from non-OpenAI domains."
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    // sender or subject contains openai or chatgpt
    regex.icontains(sender.display_name, '\bchat\s*gpt\b')
    or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
    or regex.icontains(subject.subject, '\bchat\s*gpt\b')
    or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
    or regex.icontains(body.current_thread.text,
                       '(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
    )
  )
  and 2 of (
    // payment phrase
    regex.icontains(body.current_thread.text,
                    'update (?:payment method|your (?:billing|payment))'
    ),
    regex.icontains(body.current_thread.text,
                    'Subscription (?:has expired|(?:will be)?Cancel+ed)'
    ),
    regex.icontains(body.current_thread.text,
                    'issue with (?:the transaction|payment)'
    ),
    regex.icontains(body.current_thread.text, "you(?:'ll| will) lose access"),
    regex.icontains(body.current_thread.text,
                    'payment (?:is not successful|error|was declined)'
    ),
    regex.icontains(body.current_thread.text,
                    'unable to (?:process|automatically charge)'
    ),
    strings.icontains(body.current_thread.text, 'bank or card issuer'),
    strings.icontains(body.current_thread.text, 'issue with the transaction'),
    strings.icontains(body.current_thread.text, 'could not be processed'),
    strings.icontains(body.current_thread.text, 'settle the outstanding'),
    strings.icontains(body.current_thread.text, 'account will be downgraded'),
    strings.icontains(body.current_thread.text, 'Renew Subscription'),
    strings.icontains(body.current_thread.text, 'balance is settled'),
    strings.icontains(body.current_thread.text, 'will renew automatically'),
    strings.icontains(body.current_thread.text, 'process your payment'),
    strings.icontains(body.current_thread.text, 'keep your subscription active'),
    strings.icontains(body.current_thread.text, 'avoid any interruption'),
    strings.icontains(body.current_thread.text, 'charge attempt was unsuccessful'),
    strings.icontains(body.current_thread.text, 'scheduled for cancellation'),
    strings.icontains(body.current_thread.text, 'authorizing your payment'),
    strings.icontains(body.current_thread.text, 'Declining Payment'),
    strings.icontains(body.current_thread.text, 'Insufficient funds'),
    strings.icontains(body.current_thread.text, 'Card has expired'),
    strings.icontains(body.current_thread.text, 'exceeds your credit limit'),
    strings.icontains(body.current_thread.text, 'plan features have been paused'),
    strings.icontains(body.current_thread.text, 'saved payment method'),
    strings.icontains(body.current_thread.text, 'active without interruption')
  )
  // not from openai
  and not sender.email.domain.root_domain == 'openai.com'
  // negate highly trusted sender domains unless they fail DMARC authentication
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
id: "21732c1d-c4bf-53e4-b0b2-bf9688187af4"