Brand Impersonation: OpenAI with ChatGPT Ads lure

calendar Jun 24, 2026  ยท
Share on: linkedin copy

Detects messages impersonating OpenAI or ChatGPT, that contain specific references to ChatGPT Ads. Observed harvesting advertisting account credentials.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: OpenAI with ChatGPT Ads lure"
 2description: "Detects messages impersonating OpenAI or ChatGPT, that contain specific references to ChatGPT Ads. Observed harvesting advertisting account credentials."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    // sender or subject contains openai or chatgpt
 9    regex.icontains(sender.display_name, '\bchat\s*gpt\b')
10    or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
11    or regex.icontains(subject.subject, '\bchat\s*gpt\b')
12    or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
13    or regex.icontains(body.current_thread.text,
14                       '(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
15    )
16    // display name references OpenAI CEO Sam Altman
17    or strings.icontains(sender.display_name, "Sam Altman")
18    // OpenAI mailing address
19    or regex.icontains(body.current_thread.text,
20                       '3180 18(?:th)? St(?:reet)?,? San Francisco,? (?:CA|California)'
21    )
22  )
23  and 2 of (
24    regex.icontains(body.current_thread.text, 'ChatGPT.{0,15}Ads'),
25    strings.icontains(body.current_thread.text, "ad account"),
26    strings.icontains(body.current_thread.text, "connect account"),
27    strings.icontains(body.current_thread.text, "ad campaign"),
28    strings.icontains(body.current_thread.text, "invitation"),
29  )
30  // suspicious sender domain
31  and (
32    regex.icontains(sender.email.domain.domain, '(?:open.?ai|chat.?gpt)')
33    or network.whois(sender.email.domain).days_old < 365
34  )
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and not (
37    sender.email.domain.root_domain in $high_trust_sender_root_domains
38    and coalesce(headers.auth_summary.dmarc.pass, false)
39  )  
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Impersonation: Brand"
44  - "Social engineering"
45detection_methods:
46  - "Sender analysis"
47  - "Whois"
48  - "Content analysis"
49id: "96f5864c-3fd8-5797-aa5b-2f9bc91eced6"
to-top