Service abuse: Apple TestFlight with suspicious developer reference

calendar Feb 6, 2026  ·
Share on: linkedin copy

Detects legitimate Apple TestFlight emails that reference potentially suspicious developers or apps, including variations of OpenAI, ChatGPT, or Meta in the app description or developer name fields.

Sublime rule (View on GitHub)

 1name: "Service abuse: Apple TestFlight with suspicious developer reference"
 2description: "Detects legitimate Apple TestFlight emails that reference potentially suspicious developers or apps, including variations of OpenAI, ChatGPT, or Meta in the app description or developer name fields."
 3references:
 4  - "https://sublime.security/blog/fake-meta-ads-manager-in-app-store-and-testflight-used-to-phish-meta-ad-accounts/"
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  // appears to be from apple (don't care it being legit from apple, appearing is fine)
10  and sender.email.domain.domain == "email.apple.com"
11  // has a link
12  and any(body.current_thread.links,
13          .href_url.domain.domain in ('testflight.apple.com')
14  )
15  and (
16    // get the app description
17    any(html.xpath(body.html,
18                   '//h2[contains(text(), "App Description")]/ancestor::tr/following-sibling::tr//pre'
19        ).nodes,
20        any(ml.nlu_classifier(.display_text).entities,
21            .name == "org"
22            and any(["openai", "openal", "open ai", "open al", "chatgpt", "meta"],
23                    strings.icontains(..text, .)
24            )
25        )
26    )
27  
28    // parse out the template to get the app and org name
29    or any(html.xpath(body.html, '//h2[@aria-label]').nodes,
30           any(regex.iextract(.display_text,
31                              '(?P<app_name>[^\r\n]+)[\r\n]+By (?P<dev_name>.*) for IOS.$'
32               ),
33               any(["openai", "openal", "open ai", "open al", "chatgpt", "meta"],
34                   strings.icontains(..named_groups["dev_name"], .)
35                   or strings.icontains(..named_groups["app_name"], .)
36               )
37           )
38    )
39  )  
40
41attack_types:
42  - "Spam"
43tactics_and_techniques:
44  - "Social engineering"
45detection_methods:
46  - "Content analysis"
47  - "HTML analysis"
48  - "Natural Language Understanding"
49  - "Sender analysis"
50  - "URL analysis"
51id: "e7ea0ee0-667a-5b76-b064-8fa847c665ff"
to-top