Poisoned Tenant: Attackers Use Fake OpenAI Organizations to Target Cybersecurity Firms
Threat actors are creating fraudulent OpenAI tenants that impersonate legitimate companies and sending organization invites to employees of cybersecurity firms to steal sensitive data.
A new social engineering campaign dubbed "Poisoned Tenant" is targeting employees of cybersecurity firms with fraudulent OpenAI organization invitations, according to research from Push Security. The attackers create OpenAI tenants that impersonate legitimate companies and send invites directly from OpenAI's own notification infrastructure, making the emails appear authentic and bypassing typical email security controls.
The invitations are sent from OpenAI's legitimate address, noreply@tm.openai.com, and pass email authentication checks. Push Security discovered the campaign after multiple employees received invitations to join an OpenAI organization named "Push Security Inc." — a tenant created by an attacker using Gmail addresses rather than the company's own domain. While OpenAI includes a warning that the inviter's email domain does not match the recipient's company domain, the notice appears as a single line within the legitimate invitation email, making it easy to overlook.
Push Security's VP of Research & Development, Luke Jennings, accepted one of the invitations to investigate the attack's goal. After accepting, he was immediately added to the fraudulent organization, which impersonated Push Security and contained a single attacker-controlled account with a Gmail address that posted as the company's CEO, Adam Bateman. The invited employees had all been assigned Owner privileges within the organization, giving them administrative permissions over the tenant.
The researchers found that a Visa credit card had already been attached to the organization's billing account, adding further legitimacy. The project was empty and contained no existing chats or projects, making the immediate goal unclear. However, Push Security believes the attackers' objective is to convince employees to use the ChatGPT workspace as if it were a legitimate corporate platform, which would then allow the attackers to collect any sensitive information submitted in prompts.
"An attacker who just wants to spray scam content through a trusted email channel doesn't name the organization after their target, research individual employees, or attach a credit card," wrote Push Security. "That investment only pays off if employees actually join the organization and start using it. And on an AI platform, the data people put into prompts can be extraordinarily sensitive — source code, internal documents, customer data, security research, strategic plans."
Push Security told BleepingComputer that other customers have also received similar invitations and that all are in the cybersecurity or technology space. The campaign reflects a broader trend of attackers abusing legitimate invitation and notification features built into SaaS platforms. Unlike normal phishing campaigns, these invitations originate from the platform's own infrastructure, and because they are legitimate, they are more likely to bypass email security controls.
To reduce the risk of these types of attacks, Push Security recommends training employees to verify unexpected organization invitations and monitoring SaaS organization memberships. BleepingComputer contacted OpenAI for comment on whether it has received additional reports of similar campaigns and whether it plans to introduce additional safeguards, but has not yet received a response.