Skip to content

Create impersonation_openai.yml #2952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
brycampbell wants to merge 42 commits into from
Closed

Create impersonation_openai.yml #2952

brycampbell wants to merge 42 commits into from

Conversation

@brycampbell
Copy link
Member

@brycampbell brycampbell commented Jul 15, 2025

Description

This rule is designed to identify suspicious OpenAI style phishing content, using both logo detect (TBD) and levenshtein logic to determine whether brand impersonation is present. Including the legimate sending domains should reduce the risk of false positives.

Associated samples

this sample is a phish

Associated hunts

Screenshot (insights)

@brycampbell brycampbell requested a review from a team as a code owner July 15, 2025 19:24
@brycampbell brycampbell added review-needed Indicates that a PR is waiting for review pending-external-task Waiting on a feature/bug fix/release labels Jul 15, 2025
@brycampbell brycampbell enabled auto-merge July 15, 2025 23:01
@brycampbell brycampbell added the hunting-required Hunts needed to validate rule efficacy label Jul 15, 2025
@brycampbell
Copy link
Member Author

brycampbell commented Jul 16, 2025

Hunting has identified some domains that are identified as part of the Levenshtein logic, i will add a negation in for the legitimate ones.

@brycampbell brycampbell removed the review-needed Indicates that a PR is waiting for review label Jul 16, 2025
@brycampbell
Copy link
Member Author

brycampbell commented Jul 16, 2025

https://platform.sublime.security/messages/hunt?huntId=0198144c-8f1e-7d4a-b520-97cb9f307658 This hunt includes some negation for a legitimate platform.

@brycampbell
Copy link
Member Author

brycampbell commented Jul 17, 2025

/update-test-rules

@brycampbell brycampbell added the in-test-rules PR is in our testing suite to collect telemetry label Jul 17, 2025
github-actions bot pushed a commit that referenced this pull request Jul 17, 2025
Sync from PR#2952
6575fdf 
Create impersonation_openai.yml by @brycampbell
#2952
Source SHA 493cf3c
Triggered by @brycampbell
github-actions bot added a commit that referenced this pull request Jul 24, 2025
@github-actions
[PR #2952] modified rule: Brand Impersonation: OpenAI
4c9565c
@brycampbell
Update impersonation_openai.yml
fb26f03 
Remove deprecated profile for messages, replaced with benign profile
@brycampbell
Merge branch 'main' into Create-impersonation_openai
ea76930
github-actions bot added a commit that referenced this pull request Jul 24, 2025
@github-actions
[PR #2952] modified rule: Brand Impersonation: OpenAI
a3ef7c9
@brycampbell
Copy link
Member Author

brycampbell commented Jul 24, 2025

/update-test-rules

github-actions bot added a commit that referenced this pull request Jul 24, 2025
@github-actions
[PR #2952] modified rule: Brand Impersonation: OpenAI
d895af1
github-actions bot added a commit that referenced this pull request Aug 4, 2025
@github-actions
[PR #2952] modified rule: Brand Impersonation: OpenAI
ea53ed2
@brycampbell brycampbell removed the pending-external-task Waiting on a feature/bug fix/release label Aug 4, 2025
@brycampbell
Copy link
Member Author

brycampbell commented Aug 4, 2025

Logo is in, adding in another negation.

@brycampbell
Copy link
Member Author

brycampbell commented Aug 4, 2025

Hunting with some additional edits.

  1. https://platform.sublime.security/hunts/019874f1-d82e-7576-9ba0-f501f6edb273
  2. https://platform.sublime.security/messages/hunt?huntId=019875cd-806c-7b19-b152-feb88a956dd6
    The second hunt includes the requested detection i've been waiting on using logo.

github-actions bot added a commit that referenced this pull request Aug 4, 2025
@github-actions
[PR #2952] modified rule: Brand Impersonation: OpenAI
28f3cba
zoomequipd
zoomequipd requested changes Dec 15, 2025
View reviewed changes
Copy link
Member

@zoomequipd zoomequipd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still has many benign matches.

@aidenmitchell aidenmitchell removed their request for review December 16, 2025 16:30
brycampbell and others added 2 commits December 22, 2025 11:32
@brycampbell @zoomequipd
Update detection-rules/impersonation_openai.yml
c86bce8 
Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
@brycampbell @zoomequipd
Update detection-rules/impersonation_openai.yml
9b584da 
Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Dec 22, 2025
@github-actions
[PR #2952] modified rule: Brand Impersonation: OpenAI
117d7e2
zoomequipd
zoomequipd reviewed Dec 24, 2025
View reviewed changes
@zoomequipd zoomequipd removed the review-needed Indicates that a PR is waiting for review label Dec 24, 2025
@zoomequipd
Copy link
Member

zoomequipd commented Dec 24, 2025

removing review needed label until feedback is addressed

@brycampbell @zoomequipd
Update detection-rules/impersonation_openai.yml
f6cfaf9 
Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Jan 5, 2026
@github-actions
[PR #2952] modified rule: Brand Impersonation: OpenAI
cc460cb
github-actions bot added a commit that referenced this pull request Jan 8, 2026
@github-actions
[PR #2952] modified rule: Brand Impersonation: OpenAI
620ddfa
@brycampbell
Update impersonation_openai.yml
5a6a01b 
Add in negation to avoid legit ChatGPT purchases from Apple App store.
@github-actions github-actions bot removed the in-test-rules PR is in our testing suite to collect telemetry label Jan 9, 2026
github-actions bot added a commit that referenced this pull request Jan 9, 2026
@github-actions
[PR #2952] Delete detection rule
d6abca0
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 9, 2026
github-actions bot added a commit that referenced this pull request Jan 9, 2026
@github-actions
[PR #2952] added rule: Brand Impersonation: OpenAI
ba0b072
@github-actions github-actions bot removed the in-test-rules PR is in our testing suite to collect telemetry label Jan 12, 2026
github-actions bot added a commit that referenced this pull request Jan 12, 2026
@github-actions
[PR #2952] Delete detection rule
fa692a5
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 12, 2026
github-actions bot added a commit that referenced this pull request Jan 12, 2026
@github-actions
[PR #2952] added rule: Brand Impersonation: OpenAI
e454ab1
@brycampbell
Copy link
Member Author

brycampbell commented Jan 15, 2026

#3790

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd requested changes

@aidenmitchell aidenmitchell aidenmitchell left review comments

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brycampbell @aidenmitchell @zoomequipd @alex-herold