EXPLORE
← Back to Explore
sublimehighRule

Brand Impersonation: OpenAI with ChatGPT Ads lure

Detects messages impersonating OpenAI or ChatGPT, that contain specific references to ChatGPT Ads. Observed harvesting advertisting account credentials.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and (
  // sender or subject contains openai or chatgpt
  regex.icontains(sender.display_name, '\bchat\s*gpt\b')
  or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
  or regex.icontains(subject.subject, '\bchat\s*gpt\b')
  or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
  or regex.icontains(body.current_thread.text,
                     '(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
  )
  // display name references OpenAI CEO Sam Altman
  or strings.icontains(sender.display_name, "Sam Altman")
  // OpenAI mailing address
  or regex.icontains(body.current_thread.text,
                     '3180 18(?:th)? St(?:reet)?,? San Francisco,? (?:CA|California)'
  )
)
and 2 of (
  regex.icontains(body.current_thread.text, 'ChatGPT.{0,15}Ads'),
  strings.icontains(body.current_thread.text, "ad account"),
  strings.icontains(body.current_thread.text, "connect account"),
  strings.icontains(body.current_thread.text, "ad campaign"),
  strings.icontains(body.current_thread.text, "invitation"),
)
// suspicious sender domain
and (
  regex.icontains(sender.email.domain.domain, '(?:open.?ai|chat.?gpt)')
  or network.whois(sender.email.domain).days_old < 365
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand Impersonation: OpenAI with ChatGPT Ads lure"
description: "Detects messages impersonating OpenAI or ChatGPT, that contain specific references to ChatGPT Ads. Observed harvesting advertisting account credentials."
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    // sender or subject contains openai or chatgpt
    regex.icontains(sender.display_name, '\bchat\s*gpt\b')
    or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
    or regex.icontains(subject.subject, '\bchat\s*gpt\b')
    or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
    or regex.icontains(body.current_thread.text,
                       '(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
    )
    // display name references OpenAI CEO Sam Altman
    or strings.icontains(sender.display_name, "Sam Altman")
    // OpenAI mailing address
    or regex.icontains(body.current_thread.text,
                       '3180 18(?:th)? St(?:reet)?,? San Francisco,? (?:CA|California)'
    )
  )
  and 2 of (
    regex.icontains(body.current_thread.text, 'ChatGPT.{0,15}Ads'),
    strings.icontains(body.current_thread.text, "ad account"),
    strings.icontains(body.current_thread.text, "connect account"),
    strings.icontains(body.current_thread.text, "ad campaign"),
    strings.icontains(body.current_thread.text, "invitation"),
  )
  // suspicious sender domain
  and (
    regex.icontains(sender.email.domain.domain, '(?:open.?ai|chat.?gpt)')
    or network.whois(sender.email.domain).days_old < 365
  )
  // negate highly trusted sender domains unless they fail DMARC authentication
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
  - "Whois"
  - "Content analysis"
id: "96f5864c-3fd8-5797-aa5b-2f9bc91eced6"