Brand impersonation: OpenAI with payment issues
Detects messages impersonating OpenAI or ChatGPT with payment-related content such as subscription cancellation, payment failures, or billing updates from non-OpenAI domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: OpenAI with payment issues"
2description: "Detects messages impersonating OpenAI or ChatGPT with payment-related content such as subscription cancellation, payment failures, or billing updates from non-OpenAI domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 // sender or subject contains openai or chatgpt
9 regex.icontains(sender.display_name, '\bchat\s*gpt\b')
10 or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
11 or regex.icontains(subject.subject, '\bchat\s*gpt\b')
12 or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
13 or regex.icontains(body.current_thread.text,
14 '(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
15 )
16 )
17 and 2 of (
18 // payment phrase
19 regex.icontains(body.current_thread.text,
20 'update (?:payment method|your (?:billing|payment))'
21 ),
22 regex.icontains(body.current_thread.text,
23 'Subscription (?:has expired|(?:will be)?Cancel+ed)'
24 ),
25 regex.icontains(body.current_thread.text,
26 'issue with (?:the transaction|payment)'
27 ),
28 regex.icontains(body.current_thread.text, "you(?:'ll| will) lose access"),
29 regex.icontains(body.current_thread.text,
30 'payment (?:is not successful|error|was declined)'
31 ),
32 regex.icontains(body.current_thread.text,
33 'unable to (?:process|automatically charge)'
34 ),
35 strings.icontains(body.current_thread.text, 'bank or card issuer'),
36 strings.icontains(body.current_thread.text, 'issue with the transaction'),
37 strings.icontains(body.current_thread.text, 'could not be processed'),
38 strings.icontains(body.current_thread.text, 'settle the outstanding'),
39 strings.icontains(body.current_thread.text, 'account will be downgraded'),
40 strings.icontains(body.current_thread.text, 'Renew Subscription'),
41 strings.icontains(body.current_thread.text, 'balance is settled'),
42 strings.icontains(body.current_thread.text, 'will renew automatically'),
43 strings.icontains(body.current_thread.text, 'process your payment'),
44 strings.icontains(body.current_thread.text, 'keep your subscription active'),
45 strings.icontains(body.current_thread.text, 'avoid any interruption'),
46 strings.icontains(body.current_thread.text, 'charge attempt was unsuccessful'),
47 strings.icontains(body.current_thread.text, 'scheduled for cancellation'),
48 strings.icontains(body.current_thread.text, 'authorizing your payment'),
49 strings.icontains(body.current_thread.text, 'Declining Payment'),
50 strings.icontains(body.current_thread.text, 'Insufficient funds'),
51 strings.icontains(body.current_thread.text, 'Card has expired'),
52 strings.icontains(body.current_thread.text, 'exceeds your credit limit'),
53 strings.icontains(body.current_thread.text, 'plan features have been paused'),
54 strings.icontains(body.current_thread.text, 'saved payment method'),
55 strings.icontains(body.current_thread.text, 'active without interruption')
56 )
57 // not from openai
58 and not sender.email.domain.root_domain == 'openai.com'
59 // negate highly trusted sender domains unless they fail DMARC authentication
60 and not (
61 sender.email.domain.root_domain in $high_trust_sender_root_domains
62 and coalesce(headers.auth_summary.dmarc.pass, false)
63 )
64attack_types:
65 - "Credential Phishing"
66tactics_and_techniques:
67 - "Impersonation: Brand"
68 - "Social engineering"
69detection_methods:
70 - "Content analysis"
71 - "Header analysis"
72 - "Sender analysis"
73id: "21732c1d-c4bf-53e4-b0b2-bf9688187af4"