This rule detects inbound messages that impersonate OpenAI or ChatGPT and include payment-related content from non-OpenAI domains. It targets brand impersonation via sender display name or subject, or the body, and requires two or more payment-related phrases to trigger. It uses case-insensitive regex checks for variations of OpenAI/ChatGPT (e.g., chat gpt, open ai) in the sender or subject, and a predefined set of payment-oriented phrases in the body (such as update your payment method, subscription has expired, payment issue, balance, etc.). The rule excludes messages from openai.com domains and highly trusted senders unless DMARC authentication passes to reduce false positives. It flags potential credential phishing and falls under impersonation and social engineering. Detection methods include content analysis (body text), header analysis (sender/subject), and sender analysis (domain trust). This rule is high severity and aims to protect against users being manipulated into revealing credentials or performing payment actions under a fraudulent OpenAI banner.