This high-severity rule detects brand impersonation attempts impersonating OpenAI or ChatGPT in inbound messages, focusing on a ChatGPT Ads lure and credential harvesting. Detection hinges on multiple signals: sender display name or subject containing variations of 'ChatGPT' or 'OpenAI', body content referencing an OpenAI mailing address or team notes (e.g., OpenAI address, 'the OpenAI team'), and presence of 'Sam Altman' in the display name. It requires at least two of several ad-related cues in the thread text, such as 'ChatGPT Ads' (regex: ChatGPT.{0,15}Ads), 'ad account', 'connect account', 'ad campaign', or 'invitation'. The rule also evaluates the sender's domain for patterns like open.ai or chatgpt, or checks that the domain age is under 365 days via Whois. To reduce false positives, messages from highly trusted sender domains are excluded unless DMARC authentication fails. Tactics include Impersonation (Brand) and Social Engineering, with attack type Credential Phishing. Detection methods combine Sender Analysis, Whois, and Content Analysis. The rule_id is 96f5864c-3fd8-5797-aa5b-2f9bc91eced6 and targets inbound messaging content for credential harvesting signals.