Push Security calls it the "Poisoned Tenant" campaign, and it's the most insidious SaaS phishing vector I've seen this year. Attackers are creating OpenAI ChatGPT tenants that impersonate legitimate companies, then sending real invitation emails from OpenAI's own infrastructure to target employees. The emails come from [email protected], pass SPF/DKIM, and look identical to a legitimate workspace invite. No spam filter is going to catch this.
How the Attack Works: Real Invites, Fake Tenant
Push Security's VP Luke Jennings accepted one of the phony invites to see what happened. After joining, he landed in an empty ChatGPT workspace that impersonated Push Security itself. The only other account was a single attacker-controlled Gmail address that masqueraded as the CEO, Adam Bateman. The invited employees all got Owner privileges, giving them full admin control over the tenant - and access to view pending invites. That's how Push confirmed none of their actual employees had fallen for it yet. A Visa credit card was already attached to the billing account, making the whole thing look even more legitimate.
The attackers specifically targeted employees at cybersecurity and tech companies, using work email addresses they'd researched beforehand. The only warning sign? A single line in the invite email noting the inviter's domain doesn't match the recipient's domain. Easy to miss when you're clicking through a crowded inbox.
The Real Objective: Harvest Your AI Prompts
Why go through this effort? Push Security's analysis is blunt: "That investment only pays off if employees actually join the organization and start using it." The goal is to get employees to treat this fake workspace as their company's official ChatGPT tenant. Once they start pasting in prompts, attackers get everything - source code, internal docs, customer data, security research, strategic plans. OpenAI's platform makes it trivially easy for the tenant owner to export all chats and projects.
This is a step up from traditional business email compromise. The attacker isn't fishing for credentials or a quick wire transfer. They're building a persistent, trusted channel inside a legitimate SaaS platform where employees voluntarily dump the company's most sensitive data.
Broader Implications for SaaS Security
Push Security points out that this reflects a broader trend: attackers abusing the legitimate notification and invitation features baked into SaaS platforms. Because the emails originate from the platform's own infrastructure, they bypass email security controls that would flag a normal phishing attempt. OpenAI needs to step up tenant verification - at minimum, requiring domain ownership proof before letting someone create an organization impersonating a real company. Until then, the only defense is training employees to scrutinize every unexpected invite and actively monitoring SaaS organization memberships for unauthorized tenants.
If your company uses ChatGPT workspaces, assume attackers are already trying this against you. Check your OpenAI tenant list for anything that doesn't belong.
Source: Cybersecurity firms targeted by fraudulent OpenAI organization invites
Domain: bleepingcomputer.com
Comments load interactively on the live page.