Threat IntelligenceEmerging Threats

Threat Actors Exploit OpenAI Invitations to Target Cybersecurity Firms

Analyst 207||Source: BleepingComputer
Employee looks concerned at laptop screen displaying OpenAI invitation email.

"An attacker who just wants to spray scam content through a trusted email channel doesn't name the organization after their target, research individual employees, or attach a credit card," wrote Push Security.

How the "Poisoned Tenant" campaign worked

Push Security uncovered a campaign in which threat actors created attacker-controlled OpenAI tenants that impersonated legitimate companies and sent official-looking invitations to employees. The invitation emails were sent from OpenAI's legitimate notification address, noreply@tm.openai.com, passed email authentication checks, and were identical to normal invitations to join an organization's ChatGPT workspace.

According to Push Security and reporting by BleepingComputer, the fake tenants used Gmail addresses to register, yet deliberately named the organization after real companies — in one discovered instance, "Push Security Inc." — and targeted employees using their work email addresses. That targeting, Push Security said, suggests attackers researched individual employees before launching the campaign.

Inside the fraudulent tenant: what Push Security found

To probe the campaign's intent, Luke Jennings, vice president of Research & Development at Push Security, accepted one of the invitations. After accepting, Jennings was immediately added to the impersonating organization and observed a single attacker-controlled account with a Gmail address posting as Push Security's CEO, Adam Bateman. Invited employees had been assigned Owner privileges, granting administrative permissions over the tenant.

Jennings and the invited employees could view pending invitations and confirmed that none of the targeted employees had yet joined the fake ChatGPT organization. The tenant contained no existing chats or projects; it was, in Push Security's words, empty. A Visa credit card had already been attached to the organization's billing account, furthering the appearance of legitimacy.

Why Push Security believes attackers made this investment

Push Security argued the attackers' behavior — naming the tenant after the target, researching employees, assigning Owner privileges, and attaching a payment card — indicates an objective beyond simple spam. The firm wrote that this setup "only pays off if employees actually join the organization and start using it."

Push Security warned of the specific risk on an AI platform: "the data people put into prompts can be extraordinarily sensitive — source code, internal documents, customer data, security research, strategic plans." By convincing victims to treat the attacker-run tenant as a legitimate corporate workspace, attackers could harvest sensitive inputs submitted in chats or projects.

The company also noted that an attached payment method could be used to enable premium features for invited users, removing another potential warning sign and encouraging normal use of the workspace.

How the invitations bypass typical defenses

Unlike conventional phishing that originates from attacker-controlled email infrastructure, these invitations came from OpenAI's notification system and therefore were more likely to bypass email security controls. OpenAI includes a warning when the inviter's email domain does not match the recipient's company domain, but Push Security emphasized that the notice appears as a single line within the otherwise legitimate invitation email — a detail that could be easily missed by busy recipients.

What this means for security teams, affected enterprises, and platform operators

  • Security teams: Push Security recommended training employees to verify unexpected organization invitations and monitoring SaaS organization memberships. The campaign shows that platform-originated notifications can be weaponized, so teams will need to add SaaS-invite awareness to phishing and insider-risk training.
  • Affected enterprises and procurement leaders: Organizations in the cybersecurity and technology space were among those targeted, Push Security told BleepingComputer. Procurement and IT leaders should pay attention to how third-party collaboration platforms represent organizational identity and billing, and consider processes for verifying external invite legitimacy before assigning high privileges.
  • Platform operators (OpenAI and similar services): The campaign highlights an avenue for abuse of legitimate invitation features. BleepingComputer contacted OpenAI to ask whether it has received additional reports of similar campaigns, what protections organizations can use against these attacks, and whether it plans to introduce additional safeguards to prevent attackers from creating organizations that impersonate legitimate companies; the outlet said it will update the article if OpenAI responds.

Push Security labeled the activity the "Poisoned Tenant" campaign. The core fact is straightforward: an attacker used a legitimate platform feature to create a convincing facsimile of a company's workspace, populated it with a sole attacker account that impersonated leadership, and invited employees with administrative privileges — all while attaching a real payment card and leaving the workspace empty of benign content. Whether targeted employees would have used the tenant in ways that exposed sensitive prompts remains unproven in the record, but Push Security warned that the campaign's design appears intended to elicit exactly that behavior.

Source: BleepingComputer — Cybersecurity firms targeted by fraudulent OpenAI organization invites

ChatgptCybersecurity FirmsEmerging ThreatsNation-StateOpenaiSupply ChainThreat ActorsMfa BypassPhishing ScamPoisoned Tenant
Related Intelligence

Continue Reading

Government building exterior with laptops and diverse people, hinting at global connectivity.

SharkLoader Malware Targets Global Entities in StrikeShark Cyberattacks

Kaspersky has uncovered a massive global cyberattack campaign, dubbed StrikeShark, that uses SharkLoader malware to target a wide range of organizations across multiple countries and industries. The attacks have hit diplomatic and government bodies, software development companies, and other entities in over a dozen countries.

Analyst 207
Passport lies on a plain surface surrounded by blurred cannabis dispensary items, hinting at a security breach.

Massive Passport Leak Exposes Sensitive Traveler Data

A staggering leak of almost a million passport records from around the world has put sensitive traveler data at risk. The breach, linked to a low-security ID verification system for cannabis dispensaries, exposed passports as a vulnerable weak point in authentication processes.

Analyst 207
Brightly-lit office with rows of computer servers and a large screen displaying a blurred image.

Hackers Inject Malicious Script in Polymarket Supply-Chain Attack

Polymarket has pledged to fully reimburse customers who lost around $3 million in a shocking supply-chain attack that injected malicious JavaScript into the platform's frontend via a third-party vendor breach. The incident highlights the vulnerability of even major players to these types of attacks.

Analyst 207
Government ministry building lobby with laptop screen in foreground.

Chinese APT Deploys TinyRCT Backdoor in Southeast Asia Cyberattacks

A Chinese advanced persistent threat actor, CL-STA-1062, has launched a series of cyberattacks in Southeast Asia, targeting government entities and state-owned energy firms with a new .NET backdoor called TinyRCT. This sophisticated attack tool is part of a hybrid toolkit used by the group, which has been active since March 2022.

Analyst 207