In an increasingly interconnected digital landscape, the lines between legitimate communication and sophisticated cyber threats are blurring. A new, highly deceptive social engineering campaign is exploiting this ambiguity, specifically targeting the cybersecurity and technology sectors. This evolving threat underscores the critical need for vigilance in an era where trust in digital platforms can be weaponized. Threat actors are creating OpenAI tenants that impersonate legitimate companies, specifically targeting the cybersecurity and technology sectors with fraudulent OpenAI invites. This campaign, dubbed the 'Poisoned Tenant' campaign by Push Security, involves threat actors registering OpenAI accounts and naming their organizations after target companies to impersonate them.
Beware the Fraudulent OpenAI Invites: A Sophisticated Social Engineering Attack
Then, they send organization invitations. These invites originate from OpenAI's legitimate notification address, noreply@tm.openai.com. Because they come from OpenAI's own infrastructure, they pass email authentication checks and appear identical to any normal invite. This inherent legitimacy is what makes these fraudulent OpenAI invites so dangerous; they often bypass traditional email security controls that are designed to flag suspicious senders or domains.
Attackers aim to trick employees into joining these fake organizations, then induce them to submit sensitive company information—such as proprietary source code, internal documents, or strategic plans—into the controlled ChatGPT workspace. The goal is clear: data exfiltration through social engineering, leveraging the trust users place in a widely adopted platform.
How a Legitimate Feature Becomes a Weapon
This attack chain exploits human trust and behavior, not a technical vulnerability, aligning with MITRE ATT&CK T1566.002, 'Phishing: Spearphishing via Service.' The sophistication lies in the attackers' meticulous planning and understanding of user psychology, turning a benign feature into a potent weapon for corporate espionage.
First, attackers conduct reconnaissance. They create a ChatGPT tenant using a generic email address, such as a Gmail account, rather than the target company's domain. They then research specific employees within the target company and send invitations directly to their work email addresses. This level of targeting indicates preparation and a clear intent to deceive, making these fraudulent OpenAI invites highly effective.
When an employee receives the email, it appears legitimate, originating from OpenAI. The only subtle clue is a single-line warning in the invitation email stating that the inviter's email domain does not match the recipient's company domain. Few users scrutinize every line of an invite email, especially when the sender appears trustworthy, making this subtle warning easy to miss. This oversight is precisely what attackers bank on.
If accepted, the employee is immediately added to the fraudulent organization. Push Security's observations of this campaign reveal that the fake organization typically includes a single attacker-controlled account, often impersonating the company's CEO, using a Gmail address. The employee is assigned 'Owner' privileges, and a Visa credit card is attached to the billing account. Push Security believes this payment method isn't for immediate financial gain; rather, it removes a potential warning sign and enables premium features, enhancing the workspace's legitimacy and encouraging deeper engagement.
The project itself starts empty. There are no existing chats or projects. Attackers do not pre-populate it with malicious content. Their intent is for the employee to begin using it, thereby introducing company data into their controlled environment. This patient approach underscores the long-game strategy behind these fraudulent OpenAI invites, aiming for sustained access to sensitive information.
This setup exemplifies effective social engineering. It does not exploit a bug but rather the trust users place in a platform and its communication channels. We observed a similar principle with the OpenAI/Mixpanel incident in November 28, where an attacker exported a limited dataset of OpenAI API customer metadata. While OpenAI confirmed no chat content or API keys were exposed, they warned that this metadata could be used to craft highly targeted phishing emails. This 'Poisoned Tenant' campaign demonstrates the potential for sophisticated, targeted attacks leveraging such metadata, making the threat of fraudulent OpenAI invites even more pronounced.
The Real Cost of Trust
The practical impact of these sophisticated attacks is severe data exfiltration. Any sensitive company information an employee inputs into these fraudulent OpenAI workspaces becomes immediately accessible to the attackers. For cybersecurity firms, this could mean the compromise of proprietary research, zero-day vulnerability details, sensitive client data, or strategic business plans, constituting a serious confidentiality breach (MITRE ATT&CK T1071.001, 'Application Layer Protocol: Web Protocols'). Beyond immediate data loss, the reputational damage, loss of customer trust, and potential regulatory fines associated with such breaches can be catastrophic for an organization, impacting its market standing and long-term viability.
This campaign highlights a key challenge: the more integrated and trusted a SaaS platform becomes in daily workflows, the more potent it becomes as an attack vector when abused. We encourage employees to use AI tools for productivity, but this also means asking them to introduce sensitive data into third-party environments. When those environments can be mimicked so convincingly, even security-aware individuals are at risk from these sophisticated fraudulent OpenAI invites.
This campaign highlights an evolving vector for social engineering. Traditional phishing indicators—poor grammar, suspicious links, mismatched sender domains—are largely absent. The email is legitimate, the domain is legitimate, and the invitation appears as expected. This makes detection incredibly difficult for both automated systems and human users.
What We Need to Change
Push Security recommends training employees to verify unexpected organization invitations. This means going beyond merely checking the sender and actively looking for that subtle domain mismatch warning, or, more reliably, verifying directly with an internal team. Organizations must also monitor their SaaS organization memberships more closely, implementing stricter access controls and regular audits to identify unauthorized or suspicious accounts.
However, our focus must extend beyond training. Platform providers need to rethink how 'legitimate' invitations are presented and verified. A single, easily missed line of text is insufficient given the potential impact of fraudulent OpenAI invites. Potential solutions include multi-factor authentication for organization acceptance, clearer and more prominent warnings, or even requiring domain verification *before* an organization can be named after a company it does not own. Implementing these measures would significantly raise the bar for attackers.
The trend of attackers abusing legitimate invitation and notification features in SaaS platforms persists. Organized criminal groups continuously adapt their tactics, making it imperative that our defensive strategies accelerate. This campaign underscores a critical shift: we can no longer simply trust the sender; we must verify the *context* of every invitation. Proactive measures from both users and platform providers are essential to combat the rising tide of sophisticated social engineering attacks like these fraudulent OpenAI invites. The long-term security of our digital ecosystems depends on a collective commitment to enhanced scrutiny and robust verification protocols, moving beyond superficial checks to truly understand the intent behind every digital interaction.
