1+ name : " Brand impersonation: OpenAI with payment issues"
2+ description : " Detects messages impersonating OpenAI or ChatGPT with payment-related content such as subscription cancellation, payment failures, or billing updates from non-OpenAI domains."
3+ type : " rule"
4+ severity : " high"
5+ source : |
6+ type.inbound
7+ and (
8+ // sender or subject contains openai or chatgpt
9+ regex.icontains(sender.display_name, '\bchat\s*gpt\b')
10+ or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
11+ or regex.icontains(subject.subject, '\bchat\s*gpt\b')
12+ or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
13+ or regex.icontains(body.current_thread.text,
14+ '(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
15+ )
16+ )
17+ and 2 of (
18+ // payment phrase
19+ regex.icontains(body.current_thread.text,
20+ 'update (?:payment method|your (?:billing|payment))'
21+ ),
22+ regex.icontains(body.current_thread.text,
23+ 'Subscription (?:has expired|(?:will be)?Cancel+ed)'
24+ ),
25+ regex.icontains(body.current_thread.text,
26+ 'issue with (?:the transaction|payment)'
27+ ),
28+ regex.icontains(body.current_thread.text, "you(?:'ll| will) lose access"),
29+ regex.icontains(body.current_thread.text,
30+ 'payment (?:is not successful|error|was declined)'
31+ ),
32+ regex.icontains(body.current_thread.text,
33+ 'unable to (?:process|automatically charge)'
34+ ),
35+ strings.icontains(body.current_thread.text, 'bank or card issuer'),
36+ strings.icontains(body.current_thread.text, 'issue with the transaction'),
37+ strings.icontains(body.current_thread.text, 'could not be processed'),
38+ strings.icontains(body.current_thread.text, 'settle the outstanding'),
39+ strings.icontains(body.current_thread.text, 'account will be downgraded'),
40+ strings.icontains(body.current_thread.text, 'Renew Subscription'),
41+ strings.icontains(body.current_thread.text, 'balance is settled'),
42+ strings.icontains(body.current_thread.text, 'will renew automatically'),
43+ strings.icontains(body.current_thread.text, 'process your payment'),
44+ strings.icontains(body.current_thread.text, 'keep your subscription active'),
45+ strings.icontains(body.current_thread.text, 'avoid any interruption'),
46+ strings.icontains(body.current_thread.text, 'charge attempt was unsuccessful'),
47+ strings.icontains(body.current_thread.text, 'scheduled for cancellation'),
48+ strings.icontains(body.current_thread.text, 'authorizing your payment'),
49+ strings.icontains(body.current_thread.text, 'Declining Payment'),
50+ strings.icontains(body.current_thread.text, 'Insufficient funds'),
51+ strings.icontains(body.current_thread.text, 'Card has expired'),
52+ strings.icontains(body.current_thread.text, 'exceeds your credit limit'),
53+ strings.icontains(body.current_thread.text, 'plan features have been paused'),
54+ strings.icontains(body.current_thread.text, 'saved payment method'),
55+ strings.icontains(body.current_thread.text, 'active without interruption')
56+ )
57+ // not from openai
58+ and not (
59+ sender.email.domain.root_domain == 'openai.com'
60+ and coalesce(headers.auth_summary.dmarc.pass, false)
61+ )
62+ // negate highly trusted sender domains unless they fail DMARC authentication
63+ and not (
64+ sender.email.domain.root_domain in $high_trust_sender_root_domains
65+ and coalesce(headers.auth_summary.dmarc.pass, false)
66+ )
67+ attack_types :
68+ - " Credential Phishing"
69+ tactics_and_techniques :
70+ - " Impersonation: Brand"
71+ - " Social engineering"
72+ detection_methods :
73+ - " Content analysis"
74+ - " Header analysis"
75+ - " Sender analysis"
76+ id : " 7cbbdc40-4cc9-5352-b51b-9e25396047cc"
77+ og_id : " 21732c1d-c4bf-53e4-b0b2-bf9688187af4"
78+ testing_pr : 4716
79+ testing_sha : 74ebc5595482914e57a1805715dae6bb9c4b21e3
0 commit comments