Detection rules › Sublime MQL
Link: Apple App Store link to apps impersonating AI adveristing
Detects messages containing links to Apple App Store apps that impersonate popular AI services (OpenAI, ChatGPT, Meta, Gemini) and are categorized as advertising or management tools offered for free.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| type |
Rule body MQL
type.inbound
and any(filter(body.current_thread.links,
.href_url.domain.domain in ('apps.apple.com')
),
// testflight = <script name="schema:software-application" type="application/ld+json">
// apps.apple.com = <script id="software-application" type="application/ld+json">
any(html.xpath(ml.link_analysis(.).final_dom,
'//script[@id="software-application"][@type="application/ld+json"]'
).nodes,
// extract just the value of this node and parse it as json
any([
"openai",
"openal",
"open ai",
"open al",
"chatgpt",
"meta",
"gemini",
"gpt"
],
strings.icontains(strings.parse_json(regex.iextract(..raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["name"],
.
)
)
and regex.icontains(strings.parse_json(regex.iextract(.raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["name"],
'\b(?:suite|ads?|gpt|advert|manager?|campaigns?)'
)
and strings.parse_json(regex.iextract(.raw,
'<script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script>'
)[0].named_groups["app_overview"]
)["offers"]["category"] == "free"
)
)
Detection logic
Scope: inbound message.
Detects messages containing links to Apple App Store apps that impersonate popular AI services (OpenAI, ChatGPT, Meta, Gemini) and are categorized as advertising or management tools offered for free.
- inbound message
any of
filter(body.current_thread.links)where:any of
html.xpath(ml.link_analysis(.).final_dom, '//script[@id="software-application"][@type="application/ld+json"]').nodeswhere all hold:any of
['openai', 'openal', 'open ai', 'open al', 'chatgpt', 'meta', 'gemini', 'gpt']where:- strings.icontains(strings.parse_json(regex.iextract(.raw, '<script id="software-application" type="application/ld\\+json">\\s*(?P<app_overview>.*)\\s+</script>')[0].named_groups['app_overview'])['name'])
- strings.parse_json(regex.iextract(.raw, '<script id="software-application" type="application/ld\\+json">\\s*(?P<app_overview>.*)\\s+</script>')[0].named_groups['app_overview'])['name'] matches '\\b(?:suite|ads?|gpt|advert|manager?|campaigns?)'
- strings.parse_json(regex.iextract(.raw, '<script id="software-application" type="application/ld\\+json">\\s*(?P<app_overview>.*)\\s+</script>')[0].named_groups['app_overview']).['offers']['category'] is 'free'
Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain.domain, type.inbound. Sensors: html.xpath, ml.link_analysis, regex.icontains, regex.iextract, strings.icontains, strings.parse_json.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
body.current_thread.links[].href_url.domain.domain | member | apps.apple.com |
regex.iextract | regex | <script id="software-application" type="application/ld\+json">\s*(?P<app_overview>.*)\s+</script> |
regex.icontains | regex | \b(?:suite|ads?|gpt|advert|manager?|campaigns?) |