Push Security Exposes 'Poisoned Tenant' OpenAI Invite Attack

The attack is disarmingly simple, which is what makes it worth paying attention to. According to BleepingComputer, threat actors have been creating fake OpenAI tenants impersonating legitimate companies and inviting employees to join them. The invitations arrive from noreply@tm.openai.com, OpenAI's own legitimate notification address, pass standard email authentication checks, and look identical to any routine platform invite.

Push Security discovered the campaign, which they call "Poisoned Tenant," after multiple of their own employees received invitations to join an OpenAI organization named "Push Security Inc.," one the company had not created. When a researcher accepted, they found a fraudulent workspace containing a single attacker-controlled Gmail account posing as the company's CEO, with invited employees assigned Owner-level administrative privileges. A Visa credit card was already attached to the billing account, presumably to add a veneer of operational legitimacy.

The suspected objective, according to Push Security, is to convince employees to treat the fake workspace as their legitimate corporate ChatGPT environment, then collect whatever sensitive material gets entered as prompts: source code, internal documents, customer data, security research, strategic plans. All known targets have been in the cybersecurity or technology sector, suggesting a deliberate interest in what those organizations know and build defensively.

OpenAI does include a warning in the invitation email when the inviter's email domain does not match the recipient's company domain, but it reportedly appears as a single line within an otherwise legitimate-looking message. Push Security recommends training employees to verify unexpected organization invitations and monitoring SaaS organization memberships as countermeasures.

The honest caveat is that the reporting comes from Push Security's own account of what happened to them, and what it does not give you is how many organizations were ultimately targeted, whether any employees actually submitted sensitive data before catching on, or who is running the campaign. The broader takeaway for security teams is that legitimate platform infrastructure is increasingly the vector, not a spoofed email, but a real one from a real service inviting you into a space an attacker controls.