Attackers Abuse OpenAI Organization Invites in Poisoned Tenant Campaign


Attackers are abusing OpenAI organization invitations to create convincing poisoned-tenant attacks, according to new research from Push Security. The tactic does not rely on spoofed email or a fake OpenAI domain. Instead, the attacker creates a real OpenAI organization with a target company’s name and invites employees through OpenAI’s own notification system.

In its OpenAI poisoned tenant report, Push Security said several team members received invitations to join an organization named “Push Security Inc.” The emails came from OpenAI’s legitimate notification address, passed standard email authentication checks, and looked like routine organization invites.

The goal is not instant password theft. The bigger risk is long-term data harvesting. If an employee joins the attacker-controlled organization and begins using it for work, the attacker may gain visibility into sensitive prompts, files, API usage, billing activity, and project-level work depending on the permissions and product surface involved.

How the OpenAI Invite Attack Works

The attack starts with a fake organization that uses the target company’s name. The invitation then reaches employees through a real OpenAI email flow, which makes it harder for traditional email filters to flag the message as malicious.

Push Security said the OpenAI email did include a warning that the inviter’s email domain did not match the recipient’s corporate domain. That warning matters, but it appears as a single line inside an otherwise legitimate-looking platform email.

After a researcher accepted one invite, the account was added to the fake organization with one click and no extra credential prompt. Push also found that invited users had been assigned the Owner role, and the attacker had attached a payment card to the account.

Attack stageWhat happensWhy it is effective
Fake organizationThe attacker creates an OpenAI organization using the target company nameThe name makes the tenant look familiar to employees
Legitimate invite emailOpenAI sends a real platform invitation to the employeeEmail authentication checks can pass because the sender is legitimate
One-click acceptanceThe user joins the attacker-controlled organizationThe workflow feels like normal SaaS collaboration
Data harvestingThe attacker waits for the user to use the workspace or APIPrompts, uploads, usage data, and project activity may become valuable

Why This Is a Poisoned Tenant Attack

A poisoned tenant attack happens when an attacker creates a SaaS organization, workspace, or tenant that impersonates a real company. The attacker then invites employees into that environment and waits for them to treat it as a legitimate business resource.

This is different from a normal phishing email. The link can point to a real SaaS platform, the message can come from a real platform domain, and the user may not see an obvious fake login page.

Push Security first discussed poisoned tenants in 2023 and now says the same concept has appeared in a real OpenAI-targeted incident. The company’s research write-up says the attacker targeted specific employees, used company branding through the organization name, and created a setup that looked ready for work.

What Data Could Be Exposed

The data risk depends on how the user uses the attacker-controlled environment. If the user only joins and leaves, exposure may remain limited. If the user begins using the organization for real work, the risk grows quickly.

OpenAI’s platform RBAC documentation explains that organization and project roles govern what users can do across the API and dashboard. The same documentation lists permissions covering usage, files, prompts, projects, keys, and other resources.

OpenAI also states in its managed account data access guidance that an administrator may be able to access, export, audit, retain, delete, or control data tied to a managed ChatGPT account, depending on configuration and applicable law.

  • Prompts entered into the wrong organization or workspace.
  • Files uploaded for analysis, coding, research, or business work.
  • Source code pasted into chats or API calls.
  • Usage and activity metadata.
  • API activity and project-level resources.
  • Shared workspace content, if users rely on the fake environment.

OpenAI Roles Make the Risk More Serious

The attacker in the Push incident gave invited users Owner privileges, which could make the fake organization look less restricted and more believable. It also reduces friction for users who try to inspect settings, billing, or team access.

OpenAI’s workspace role guidance says Owners have full access, including billing, identity management, and workspace configuration, while Admins manage users and groups and Members have no admin privileges.

This matters because attackers do not need to steal credentials immediately if they can convince users to work inside the wrong tenant. The poisoned tenant becomes the collection point.

Role or control areaSecurity relevance
Owner roleCan make the fake workspace appear fully usable and reduce suspicion
Usage visibilityCan reveal who is active and how the tenant is being used
Project accessCan expose files, prompts, keys, and API resources depending on permissions
Billing setupCan remove payment friction that might otherwise trigger internal questions

This Builds on Earlier OpenAI Invite Abuse

This is not the first time attackers have abused OpenAI’s organization and invitation features. In January 2026, Kaspersky reported a scam that placed deceptive text, fraudulent phone numbers, and links inside OpenAI organization names.

In that earlier campaign, attackers used organization invites mainly as a delivery channel for scam content. The newer poisoned-tenant pattern is more subtle because the fake organization itself becomes the trap.

The two cases point to the same security problem. Collaboration features can be abused when platforms let anyone create an organization with a trusted-looking name and invite employees at other companies.

SaaS Notification Abuse Is Expanding

The OpenAI invite issue also fits a wider trend in SaaS abuse. Attackers increasingly use legitimate platform notification systems to deliver social engineering messages from trusted infrastructure.

Cisco Talos described this pattern as attackers weaponizing SaaS notification pipelines across platforms such as GitHub and Jira. Talos called the approach Platform-as-a-Proxy because attackers make legitimate platforms send the email for them.

These emails can satisfy SPF, DKIM, and DMARC checks because they come from the real provider. That weakens the value of sender authentication as the only decision point for trust.

Traditional phishingPoisoned tenant or SaaS notification abuse
Often uses spoofed or lookalike sender domainsUses real SaaS notification infrastructure
Often sends users to a fake login pageMay send users to a real platform workspace or organization
Email security may flag suspicious infrastructureEmail authentication can pass normally
The goal is often immediate credential theftThe goal may be long-term access to activity and data

How Attackers Could Escalate the Attack

Push Security warned that a poisoned OpenAI organization could become a starting point for more social engineering. Once an employee trusts the workspace, the attacker could send shared chats, request integrations, or push users toward other attacker-controlled services.

The risk grows when AI tools connect to third-party apps, files, code repositories, calendars, and cloud storage. A fake workspace can become a staging area for OAuth abuse, malicious shared content, or indirect prompt injection.

Invitation email showing OpenAI branding, “Push Security Inc” org name, and the Gmail sender address

OpenAI’s audit log API documentation shows that organizations can track events such as invites sent, invites accepted, user changes, role assignments, API key actions, and project updates. Defenders should look for similar visibility in every AI and SaaS platform they allow employees to use.

What Organizations Should Do Now

Security teams should not treat an email as safe only because it comes from a legitimate SaaS sender. In this attack pattern, legitimacy of infrastructure is part of the lure.

Companies should monitor which external organizations or workspaces employees join, review OpenAI organization usage, and create clear internal guidance on approved AI workspaces. Employees should know which OpenAI organization belongs to the company and how to report suspicious invitations.

Admins should also use least privilege. The OpenAI RBAC guide recommends starting with the minimum permissions needed, reviewing roles regularly, removing unused roles and keys, and validating access with non-owner accounts.

  • Tell employees not to accept unexpected OpenAI organization invitations.
  • Verify the inviter domain, organization name, and expected company workspace before joining.
  • Publish the official company OpenAI workspace or organization name internally.
  • Monitor invite activity, workspace switches, and unusual API usage where possible.
  • Use SSO, SCIM, domain verification, and role-based access controls for managed workspaces.
  • Block or quarantine suspicious external SaaS invites when the sender domain and target domain do not match.

What Employees Should Watch For

Employees should treat unexpected OpenAI invitations the same way they treat unexpected file-share or workspace invites. A real platform email can still lead to an attacker-controlled environment.

The clearest warning sign in the Push case was a domain mismatch between the inviter and the recipient’s company domain. Users should also look for unfamiliar senders, unexplained Owner privileges, unexpected billing information, and a workspace that internal IT has not announced.

The recently disclosed LLMShare attack used ChatGPT to distribute malware

Kaspersky’s OpenAI teamwork feature warning also recommended treating unsolicited invitations with suspicion, inspecting links carefully, and avoiding phone numbers or instructions included inside suspicious platform-generated emails.

Vendor Controls Need to Improve

The incident highlights a gap in modern SaaS security. Many platforms make collaboration easy, but not all of them strongly verify whether an organization name belongs to the company being impersonated.

Push Security argued that vendors should consider stronger protections, including domain verification before using a company name, more prominent cross-domain invite warnings, and enterprise controls that restrict which external organizations employees can join.

OpenAI’s role documentation, the audit log API, and the managed account data guidance all show why organizations need governance around AI workspaces. These platforms now hold business-critical data, so their invitation flows need the same scrutiny as identity systems, file-sharing tools, and code platforms.

Bottom Line

The OpenAI poisoned-tenant campaign shows how attackers can exploit trust in legitimate AI platforms without using classic spoofing or malware. The email can be real, the platform can be real, and the organization can still belong to an attacker.

Cisco Talos’ SaaS notification pipeline research shows the same direction across other collaboration tools. Attackers increasingly abuse trusted platforms as delivery systems, so defenders need visibility into SaaS membership, tenant ownership, AI usage, and external workspace joins.

FAQ

What is an OpenAI poisoned tenant attack?

An OpenAI poisoned tenant attack happens when an attacker creates an OpenAI organization or workspace that impersonates a real company and invites employees to join it. If users trust the fake environment and use it for work, the attacker may gain visibility into sensitive activity and data.

Are OpenAI organization invite emails fake in this attack?

Not necessarily. In the Push Security incident, the invitations came through OpenAI’s legitimate notification system. That is why the attack is hard to spot with traditional email authentication checks alone.

What data could attackers collect from a fake OpenAI organization?

If employees use the attacker-controlled organization for work, attackers may gain access to prompts, uploaded files, usage and activity metadata, API activity, project resources, and other sensitive business data depending on permissions and product settings.

How can employees spot suspicious OpenAI invites?

Employees should check whether the inviter domain matches their company, confirm that the workspace was announced internally, verify the sender and organization name, and report unexpected OpenAI organization invitations to IT or security before accepting.

How can companies defend against poisoned tenant attacks?

Companies should publish approved AI workspace names, monitor external SaaS invitations, restrict unapproved workspace joins where possible, use SSO and SCIM for managed access, enforce least privilege, review audit logs, and train employees that legitimate platform emails can still lead to attacker-controlled tenants.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages