type.inbound
and (
// sender or subject contains openai or chatgpt
regex.icontains(sender.display_name, '\bchat\s*gpt\b')
or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
or regex.icontains(subject.subject, '\bchat\s*gpt\b')
or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
or regex.icontains(body.current_thread.text,
'(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
)
// display name references OpenAI CEO Sam Altman
or strings.icontains(sender.display_name, "Sam Altman")
// OpenAI mailing address
or regex.icontains(body.current_thread.text,
'3180 18(?:th)? St(?:reet)?,? San Francisco,? (?:CA|California)'
)
)
and 2 of (
regex.icontains(body.current_thread.text, 'ChatGPT.{0,15}Ads'),
strings.icontains(body.current_thread.text, "ad account"),
strings.icontains(body.current_thread.text, "connect account"),
strings.icontains(body.current_thread.text, "ad campaign"),
strings.icontains(body.current_thread.text, "invitation"),
)
// suspicious sender domain
and (
regex.icontains(sender.email.domain.domain, '(?:open.?ai|chat.?gpt)')
or network.whois(sender.email.domain).days_old < 365
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.