Link: Apple App Store link to apps impersonating AI adveristing

calendar Mar 4, 2026  ·
Share on: linkedin copy

Detects messages containing links to Apple App Store apps that impersonate popular AI services (OpenAI, ChatGPT, Meta, Gemini) and are categorized as advertising or management tools offered for free.

Sublime rule (View on GitHub)

 1name: "Link: Apple App Store link to apps impersonating AI adveristing"
 2description: "Detects messages containing links to Apple App Store apps that impersonate popular AI services (OpenAI, ChatGPT, Meta, Gemini) and are categorized as advertising or management tools offered for free."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(body.current_thread.links,
 8                 .href_url.domain.domain in ('apps.apple.com')
 9          ),
10          // testflight = <script name="schema:software-application" type="application/ld+json">
11          // apps.apple.com = <script id="software-application" type="application/ld+json">
12          any(html.xpath(ml.link_analysis(.).final_dom,
13                         '//script[@id="software-application"][@type="application/ld+json"]'
14              ).nodes,
15              // extract just the value of this node and parse it as json
16              any([
17                    "openai",
18                    "openal",
19                    "open ai",
20                    "open al",
21                    "chatgpt",
22                    "meta",
23                    "gemini"
24                  ],
25                  strings.icontains(strings.parse_json(regex.iextract(..raw,
26                                                                      '<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
27                                                       )[0].named_groups["app_overview"]
28                                    )["name"],
29                                    .
30                  )
31              )
32              and regex.icontains(strings.parse_json(regex.iextract(.raw,
33                                                                    '<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
34                                                     )[0].named_groups["app_overview"]
35                                  )["name"],
36                                  '\b(?:suite|ads?|advert|manager?|campaigns?)'
37              )
38              and strings.parse_json(regex.iextract(.raw,
39                                                    '<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
40                                     )[0].named_groups["app_overview"]
41              )["offers"]["category"] == "free"
42          )
43  )  
44
45attack_types:
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "Impersonation: Brand"
49detection_methods:
50  - "Content analysis"
51  - "URL analysis"
52  - "HTML analysis"
53id: "19b556e6-6d08-533b-b42e-bd3fa1dee6ad"
to-top