detection.wiki

Detection rules › Sublime MQL

Service abuse: Apple TestFlight with suspicious developer reference

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects legitimate Apple TestFlight emails that reference potentially suspicious developers or apps, including variations of OpenAI, ChatGPT, or Meta in the app description or developer name fields.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesSpam
Tactics and techniquesSocial engineering

Event coverage

Message attribute
body
body.current_thread
sender.email
type

Rule body MQL

type.inbound
// appears to be from apple (don't care it being legit from apple, appearing is fine)
and sender.email.domain.domain == "email.apple.com"
// has a link
and any(body.current_thread.links,
        .href_url.domain.domain in ('testflight.apple.com')
)
and (
  // get the app description
  any(html.xpath(body.html,
                 '//h2[contains(text(), "App Description")]/ancestor::tr/following-sibling::tr//pre'
      ).nodes,
      any(ml.nlu_classifier(.display_text).entities,
          .name == "org"
          and any(["openai", "openal", "open ai", "open al", "chatgpt", "meta"],
                  strings.icontains(..text, .)
          )
      )
  )

  // parse out the template to get the app and org name
  or any(html.xpath(body.html, '//h2[@aria-label]').nodes,
         any(regex.iextract(.display_text,
                            '(?P<app_name>[^\r\n]+)[\r\n]+By (?P<dev_name>.*) for IOS.$'
             ),
             any(["openai", "openal", "open ai", "open al", "chatgpt", "meta"],
                 strings.icontains(..named_groups["dev_name"], .)
                 or strings.icontains(..named_groups["app_name"], .)
             )
         )
  )
)

Detection logic

Scope: inbound message.

Detects legitimate Apple TestFlight emails that reference potentially suspicious developers or apps, including variations of OpenAI, ChatGPT, or Meta in the app description or developer name fields.

  1. inbound message
  2. sender.email.domain.domain is 'email.apple.com'
  3. any of body.current_thread.links where:
    • .href_url.domain.domain in ('testflight.apple.com')
  4. any of:
    • any of html.xpath(body.html, '//h2[contains(text(), "App Description")]/ancestor::tr/following-sibling::tr//pre').nodes where:
      • any of ml.nlu_classifier(.display_text).entities where all hold:
        • .name is 'org'
        • any of ['openai', 'openal', 'open ai', 'open al', 'chatgpt', 'meta'] where:
          • strings.icontains(.text)
    • any of html.xpath(body.html, '//h2[@aria-label]').nodes where:
      • any of regex.iextract(.display_text) where:
        • any of ['openai', 'openal', 'open ai', 'open al', 'chatgpt', 'meta'] where any holds:
          • strings.icontains(.named_groups['dev_name'])
          • strings.icontains(.named_groups['app_name'])

Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain.domain, body.html, sender.email.domain.domain, type.inbound. Sensors: html.xpath, ml.nlu_classifier, regex.iextract, strings.icontains.

Indicators matched (4)

FieldMatchValue
sender.email.domain.domainequalsemail.apple.com
body.current_thread.links[].href_url.domain.domainmembertestflight.apple.com
ml.nlu_classifier(html.xpath(body.html, '//h2[contains(text(), "App Description")]/ancestor::tr/following-sibling::tr//pre').nodes[].display_text).entities[].nameequalsorg
regex.iextractregex(?P<app_name>[^\r\n]+)[\r\n]+By (?P<dev_name>.*) for IOS.$