← Back to Explore
sublimehighRule
Brand Impersonation: OpenAI with ChatGPT Ads lure
Detects messages impersonating OpenAI or ChatGPT, that contain specific references to ChatGPT Ads. Observed harvesting advertisting account credentials.
Detection Query
type.inbound
and (
// sender or subject contains openai or chatgpt
regex.icontains(sender.display_name, '\bchat\s*gpt\b')
or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
or regex.icontains(subject.subject, '\bchat\s*gpt\b')
or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
or regex.icontains(body.current_thread.text,
'(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
)
// display name references OpenAI CEO Sam Altman
or strings.icontains(sender.display_name, "Sam Altman")
// OpenAI mailing address
or regex.icontains(body.current_thread.text,
'3180 18(?:th)? St(?:reet)?,? San Francisco,? (?:CA|California)'
)
)
and 2 of (
regex.icontains(body.current_thread.text, 'ChatGPT.{0,15}Ads'),
strings.icontains(body.current_thread.text, "ad account"),
strings.icontains(body.current_thread.text, "connect account"),
strings.icontains(body.current_thread.text, "ad campaign"),
strings.icontains(body.current_thread.text, "invitation"),
)
// suspicious sender domain
and (
regex.icontains(sender.email.domain.domain, '(?:open.?ai|chat.?gpt)')
or network.whois(sender.email.domain).days_old < 365
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand Impersonation: OpenAI with ChatGPT Ads lure"
description: "Detects messages impersonating OpenAI or ChatGPT, that contain specific references to ChatGPT Ads. Observed harvesting advertisting account credentials."
type: "rule"
severity: "high"
source: |
type.inbound
and (
// sender or subject contains openai or chatgpt
regex.icontains(sender.display_name, '\bchat\s*gpt\b')
or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
or regex.icontains(subject.subject, '\bchat\s*gpt\b')
or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
or regex.icontains(body.current_thread.text,
'(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
)
// display name references OpenAI CEO Sam Altman
or strings.icontains(sender.display_name, "Sam Altman")
// OpenAI mailing address
or regex.icontains(body.current_thread.text,
'3180 18(?:th)? St(?:reet)?,? San Francisco,? (?:CA|California)'
)
)
and 2 of (
regex.icontains(body.current_thread.text, 'ChatGPT.{0,15}Ads'),
strings.icontains(body.current_thread.text, "ad account"),
strings.icontains(body.current_thread.text, "connect account"),
strings.icontains(body.current_thread.text, "ad campaign"),
strings.icontains(body.current_thread.text, "invitation"),
)
// suspicious sender domain
and (
regex.icontains(sender.email.domain.domain, '(?:open.?ai|chat.?gpt)')
or network.whois(sender.email.domain).days_old < 365
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Whois"
- "Content analysis"
id: "96f5864c-3fd8-5797-aa5b-2f9bc91eced6"