Cyberattackers pose as OpenAI in scheme targeting security firms
▼ Summary
– Threat actors create OpenAI tenants impersonating legitimate companies and invite employees, aiming to trick them into submitting sensitive information in chats.
– Push Security discovered the “Poisoned Tenant” campaign after employees received legitimate-looking OpenAI invitation emails from the attacker-created tenant.
– The invitations target specific employees via work emails, suggesting pre-campaign research, and bypass email security since they come from OpenAI’s own infrastructure.
– Upon accepting, employees gain Owner privileges in the tenant, which contains an attacker-controlled account posing as the CEO and a Visa credit card for legitimacy.
– Push Security believes attackers intend for employees to use the workspace, enabling collection of sensitive data like source code, internal documents, and strategic plans.
Threat actors are quietly creating OpenAI tenants designed to impersonate real companies, then inviting specific employees to join them. The goal appears to be a sophisticated trap: tricking targets into submitting sensitive corporate data inside chats and projects, all while believing they are using a legitimate workspace.
Security firm Push Security uncovered this campaign, which they have named the “Poisoned Tenant” operation. The discovery came after multiple employees received invitations to join an OpenAI organization falsely labeled “Push Security Inc.” Although the invitation itself was genuine and sent directly from OpenAI’s infrastructure, the ChatGPT tenant had been set up by an attacker using Gmail addresses, not by the company itself.
The emails arrived from OpenAI’s official notification address, noreply@tm.openai.com. They passed standard email authentication checks and were visually identical to any normal invitation to join a corporate ChatGPT workspace. Push Security confirmed to BleepingComputer that other cybersecurity and technology firms have also received similar invites, indicating a targeted campaign.
According to Push Security’s report, the invitations were sent to specific employees using their work email addresses. This suggests the attackers researched their targets before launching the attack. While OpenAI includes a warning that the inviter’s email domain does not match the recipient’s company domain, that notice appears as a single line buried within the otherwise legitimate-looking invitation email.
To understand the attack’s objective, Luke Jennings, VP of Research and Development at Push Security, accepted one of the invitations. Upon joining, he was immediately added to the fraudulent organization, which impersonated Push Security. The tenant contained a single attacker-controlled account using a Gmail address that posed as the company’s CEO, Adam Bateman. All invited employees had been assigned Owner privileges, granting them full administrative control over the fake tenant.
With that access, Jennings could view other pending invitations and confirm that none of the targeted employees had actually joined the bogus ChatGPT organization. He also discovered that a Visa credit card had already been attached to the billing account, adding a layer of legitimacy to the setup.
Push Security noted that the project was completely empty, containing no existing chats or documents. This left the attack’s ultimate goal unclear at first. However, the firm believes the attackers intend to convince employees to use the ChatGPT workspace as if it were a legitimate corporate platform. Once employees start submitting prompts, the attackers could harvest any sensitive information shared , including source code, internal documents, customer data, security research, and strategic plans.
“An attacker who just wants to spray scam content through a trusted email channel doesn’t name the organization after their target, research individual employees, or attach a credit card,” Push wrote in their report. “That investment only pays off if employees actually join the organization and start using it. And on an AI platform, the data people put into prompts can be extraordinarily sensitive.”
The company also pointed out that attaching a payment method removes another potential red flag. Invited users can access premium features without questioning whether the organization is legitimate.
Push Security says this campaign reflects a broader trend: attackers abusing legitimate invitation and notification features built into SaaS platforms. Unlike traditional phishing campaigns, these invitations originate from the platform’s own infrastructure and are therefore more likely to bypass email security controls.
To reduce risk, Push recommends training employees to verify any unexpected organization invitations and monitoring SaaS organization memberships closely. BleepingComputer has reached out to OpenAI for comment on whether they have received additional reports of similar campaigns and what protections or safeguards they plan to introduce. We will update this article if we receive a response.
(Source: BleepingComputer)
