High Severity

Brand impersonation: OpenAI with payment issues

Labels

Credential Phishing

Impersonation: Brand

Description

Detects messages impersonating OpenAI or ChatGPT with payment-related content such as subscription cancellation, payment failures, or billing updates from non-OpenAI domains.

References

No references.

Sublime Security

Created Apr 22nd, 2026 • Last updated Apr 22nd, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  // sender or subject contains openai or chatgpt
  regex.icontains(sender.display_name, '\bchat\s*gpt\b')
  or regex.icontains(sender.display_name, '\bopen\s*a[li]\b')
  or regex.icontains(subject.subject, '\bchat\s*gpt\b')
  or regex.icontains(subject.subject, '\bopen\s*a[li]\b')
  or regex.icontains(body.current_thread.text,
                     '(?:regarding\s*your\s*Open\s*A[lI]\s*account|Open\s*A[lI]\s*\.\s*All\s*rights\s*reserved|the\s*open\s*ai\s*team)'
  )
)
and 2 of (
  // payment phrase
  regex.icontains(body.current_thread.text,
                  'update (?:payment method|your (?:billing|payment))'
  ),
  regex.icontains(body.current_thread.text,
                  'Subscription (?:has expired|(?:will be)?Cancel+ed)'
  ),
  regex.icontains(body.current_thread.text,
                  'issue with (?:the transaction|payment)'
  ),
  regex.icontains(body.current_thread.text, "you(?:'ll| will) lose access"),
  regex.icontains(body.current_thread.text,
                  'payment (?:is not successful|error|was declined)'
  ),
  regex.icontains(body.current_thread.text,
                  'unable to (?:process|automatically charge)'
  ),
  strings.icontains(body.current_thread.text, 'bank or card issuer'),
  strings.icontains(body.current_thread.text, 'issue with the transaction'),
  strings.icontains(body.current_thread.text, 'could not be processed'),
  strings.icontains(body.current_thread.text, 'settle the outstanding'),
  strings.icontains(body.current_thread.text, 'account will be downgraded'),
  strings.icontains(body.current_thread.text, 'Renew Subscription'),
  strings.icontains(body.current_thread.text, 'balance is settled'),
  strings.icontains(body.current_thread.text, 'will renew automatically'),
  strings.icontains(body.current_thread.text, 'process your payment'),
  strings.icontains(body.current_thread.text, 'keep your subscription active'),
  strings.icontains(body.current_thread.text, 'avoid any interruption'),
  strings.icontains(body.current_thread.text, 'charge attempt was unsuccessful'),
  strings.icontains(body.current_thread.text, 'scheduled for cancellation'),
  strings.icontains(body.current_thread.text, 'authorizing your payment'),
  strings.icontains(body.current_thread.text, 'Declining Payment'),
  strings.icontains(body.current_thread.text, 'Insufficient funds'),
  strings.icontains(body.current_thread.text, 'Card has expired'),
  strings.icontains(body.current_thread.text, 'exceeds your credit limit'),
  strings.icontains(body.current_thread.text, 'plan features have been paused'),
  strings.icontains(body.current_thread.text, 'saved payment method'),
  strings.icontains(body.current_thread.text, 'active without interruption')
)
// not from openai
and not sender.email.domain.root_domain == 'openai.com'
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.