Brand impersonation: OpenAI with payment issues
Detects messages impersonating OpenAI or ChatGPT with payment-related content such as subscription cancellation, payment failures, or billing updates from non-OpenAI domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: OpenAI with payment issues"
2description: "Detects messages impersonating OpenAI or ChatGPT with payment-related content such as subscription cancellation, payment failures, or billing updates from non-OpenAI domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 // sender or subject contains openai or chatgpt
9 regex.icontains(sender.display_name, '\bchat\s*gpt\b')
10 or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
11 or regex.icontains(subject.subject, '\bchat\s*gpt\b')
12 or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
13 or regex.icontains(body.current_thread.text,
14 '(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
15 )
16 )
17 and 2 of (
18 // payment phrase
19 regex.icontains(body.current_thread.text,
20 'update (?:payment method|your (?:billing|payment))'
21 ),
22 regex.icontains(body.current_thread.text,
23 'Subscription (?:has expired|(?:will be)?Cancel+ed)'
24 ),
25 regex.icontains(body.current_thread.text,
26 'issue with (?:the transaction|payment)'
27 ),
28 regex.icontains(body.current_thread.text, "you(?:'ll| will) lose access"),
29 regex.icontains(body.current_thread.text,
30 'payment (?:is not successful|error|was declined)'
31 ),
32 regex.icontains(body.current_thread.text,
33 'unable to (?:process|automatically charge)'
34 ),
35 strings.icontains(body.current_thread.text, 'bank or card issuer'),
36 strings.icontains(body.current_thread.text, 'issue with the transaction'),
37 strings.icontains(body.current_thread.text, 'could not be processed'),
38 strings.icontains(body.current_thread.text, 'settle the outstanding'),
39 strings.icontains(body.current_thread.text, 'account will be downgraded'),
40 strings.icontains(body.current_thread.text, 'Renew Subscription'),
41 strings.icontains(body.current_thread.text, 'balance is settled'),
42 strings.icontains(body.current_thread.text, 'will renew automatically'),
43 strings.icontains(body.current_thread.text, 'process your payment'),
44 strings.icontains(body.current_thread.text, 'keep your subscription active'),
45 strings.icontains(body.current_thread.text, 'avoid any interruption'),
46 strings.icontains(body.current_thread.text, 'charge attempt was unsuccessful'),
47 strings.icontains(body.current_thread.text, 'scheduled for cancellation'),
48 strings.icontains(body.current_thread.text, 'authorizing your payment'),
49 strings.icontains(body.current_thread.text, 'Declining Payment'),
50 strings.icontains(body.current_thread.text, 'Insufficient funds'),
51 strings.icontains(body.current_thread.text, 'Card has expired'),
52 strings.icontains(body.current_thread.text, 'exceeds your credit limit'),
53 strings.icontains(body.current_thread.text, 'plan features have been paused'),
54 strings.icontains(body.current_thread.text, 'saved payment method'),
55 strings.icontains(body.current_thread.text, 'active without interruption'),
56 strings.icontains(body.current_thread.text, 'interruption to your access'),
57 strings.icontains(body.current_thread.text, 'review your account status'),
58 strings.icontains(body.current_thread.text, 'access confirmation'),
59 strings.icontains(body.current_thread.text, 'review allowance'),
60 strings.icontains(body.current_thread.text, 'access may be suspended'),
61 strings.icontains(body.current_thread.text, 'next allowance cycle')
62 )
63 // not from openai
64 and not (
65 sender.email.domain.root_domain == 'openai.com'
66 and coalesce(headers.auth_summary.dmarc.pass, false)
67 )
68 // negate highly trusted sender domains unless they fail DMARC authentication
69 and not (
70 sender.email.domain.root_domain in $high_trust_sender_root_domains
71 and coalesce(headers.auth_summary.dmarc.pass, false)
72 )
73attack_types:
74 - "Credential Phishing"
75tactics_and_techniques:
76 - "Impersonation: Brand"
77 - "Social engineering"
78detection_methods:
79 - "Content analysis"
80 - "Header analysis"
81 - "Sender analysis"
82id: "21732c1d-c4bf-53e4-b0b2-bf9688187af4"