Information Security News

Poisoned Tenant Attack Abuses OpenAI Organization Invites

by · Published · Updated

Poisoned tenant attack abusing OpenAI ChatGPT organization invitations to phish employees into a fake corporate workspace

Attackers have begun creating fake ChatGPT workspaces dressed up as real companies. Then they invite employees through genuine OpenAI emails. The scheme is dangerous precisely because it does not look like ordinary phishing. The message arrives from a legitimate OpenAI address, passes email authentication, and mirrors a standard invitation to a corporate organization.

Push Security spotted the campaign after several of its own staff received invitations to an OpenAI organization named “Push Security Inc.” At first glance, the email looked authentic. It came from noreply@tm.openai.com — that is, from OpenAI’s own infrastructure, not an attacker domain. The real problem lay elsewhere. An unknown person with a Gmail address, rather than the employer, had created the ChatGPT workspace.

Targeted, Not Random

According to Push Security, other customers received similar invitations. Every known target works in cybersecurity or technology. The attackers did not email random addresses. Instead, they reached specific employees at their work inboxes. Therefore, researchers believe the attackers studied company structures beforehand and picked suitable people through social engineering.

OpenAI does add a warning to such emails when the inviter’s domain differs from the recipient’s. However, that note occupies just a single line inside an otherwise normal message. Against a familiar template, a real sender address, and the company name in the invitation, the signal is easy to overlook.

One Click Inside the Trap

To understand the goal, one Push Security leader accepted the invitation. After signing in, he landed in the fake organization. One attacker account, tied to a Gmail address, was already present. That account impersonated Push Security’s CEO, Adam Bateman. Every invited employee received Owner rights — in other words, administrative access to the workspace.

This access let the researcher view the list of pending invitations. He confirmed that no other employees had joined the fake organization. The settings also held a linked Visa card. That payment method added credibility. The workspace looked less like an empty trap and more like a configured corporate environment with paid features ready to use.

The Likely Endgame

Inside, there were no ready-made chats or projects. As a result, the campaign’s exact aim remains unconfirmed. Push Security believes the attackers counted on later employee behavior. Suppose someone accepts the invitation and starts using ChatGPT as a corporate tool. Their prompts could then contain source code, internal documents, customer data, security research, product plans, and other confidential material. Such leaks could fuel corporate espionage or intellectual property theft.

Why It Beats Ordinary Phishing

For attackers, this scheme pays off better than classic phishing. There is no need to spoof a domain, slip past mail filters, or lure a victim to a suspicious site. The platform itself sends the invitation. Consequently, the email looks normal to security tools. The company name, the Owner role, and the attached card lower a recipient’s guard even further.

A Wider SaaS Abuse Trend

Push Security links the campaign to a broader pattern. Increasingly, attackers exploit genuine SaaS features — invitations, notifications, shared workspaces, and access grants. In such attacks, the malicious element is not a link in the email. Rather, it is the context created inside a legitimate platform.

How to Defend Against It

The company advises employees to verify unexpected invitations to corporate services, even when the email comes from a real vendor address. For organizations, separate oversight matters. Teams should track who creates workspaces bearing the company name, which organizations employees join, and which external SaaS tenants gain access to corporate addresses.

When choosing such services, look for account-protection mechanisms against unauthorized access, plus support for active-session management and two-factor authentication. With AI services, the risk runs especially high. After all, users often hand the chatbot data they would never type into an ordinary web form.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply