That OpenAI Invite in Your Inbox May Be a Trap

Here is what makes this attack so unsettling

This is not a clumsy phishing email with a typo-ridden link. The invitation was genuinely sent by OpenAI's own systems, from the legitimate notification address [email protected]. It passed email authentication. It was identical to a normal invite to join a company ChatGPT workspace.

That is the trick. The attackers did not hack OpenAI. They simply used OpenAI the way it was designed to be used. Anyone can create an organization, name it whatever they want, and invite people to it.

So the attacker created a ChatGPT tenant, named it after a real cybersecurity company, and started inviting that company's actual employees. The platform did the rest, lending the scam the full credibility of a trusted brand.

How they pulled this off cleanly is the part that should worry every team leaning on AI tools.

How the Poisoned Tenant scam actually works

Push Security calls it the Poisoned Tenant campaign, and the mechanics are simple enough to be repeatable.

The attacker created the fake organization using ordinary Gmail addresses rather than any corporate account. Then they targeted specific employees by their work email addresses, which suggests they had researched who works where before pressing send. This was aimed, not sprayed.

To see where it led, Luke Jennings, VP of Research Development at Push Security, accepted one of the invites himself.

What he found inside was revealing.

• He was added instantly to the fake organization impersonating his own company.
• The tenant held a single attacker-controlled account, using a Gmail address, posing as the company's CEO, Adam Bateman.
• Every invited employee had been handed Owner privileges, giving them administrative control of the workspace.
• A Visa credit card was already attached to the billing account, adding another layer of fake legitimacy.

Because the researcher had administrative access, he could see the other pending invitations and confirm that none of the targeted employees had actually joined yet. The bullet was still in the chamber.

Treat any unexpected invitation to a ChatGPT, AI, or SaaS workspace as suspicious by default, even when the email itself is genuine. Confirm with your IT or security team before accepting, and never assume a workspace is official just because it carries your company name.

So what is the attacker actually after?

This is where it gets murky, and honestly, more interesting.

When Push Security examined the fake workspace, the project was empty. No existing chats. No projects. Nothing staged inside it.

So the company told BleepingComputer that the exact goal remains unclear. That uncertainty is not reassuring. It is the opposite.

Here is the most likely play, based on how the trap was built. If an employee accepts and assumes the workspace is their company's official ChatGPT environment, they may start using it for real work. They might paste internal documents, draft sensitive plans, or discuss confidential projects, all inside a space the attacker quietly controls and can read.

In other words, the empty room was the point. It was waiting to be filled with your secrets.

And the targeting tells its own story. Push Security said other customers received similar invites, and every single one was in the cybersecurity or technology space. These are exactly the companies whose internal data is most valuable to a determined attacker.

Why the usual advice does not save you here

For years the security mantra has been simple: check the sender, look for the real domain, do not trust suspicious emails.

This attack breaks that rule.

The sender really is OpenAI. The domain really does check out. The email really did pass authentication. Every signal your instincts and your filters rely on says this message is safe, because technically it is a real message.

OpenAI does include a warning that the inviter's email domain does not match your company's domain. But that notice shows up as a single line buried inside an otherwise legitimate-looking invitation. Easy to write off. Easy to miss entirely when you are moving fast.

That single line is the only thing standing between a busy employee and a poisoned workspace.

What happens next (24 to 72 hours)

Expect this pattern to spread fast, because it is cheap, convincing, and uses a trusted platform against its own users.

In the immediate term, here is what matters:

1. More invites are likely. The campaign already hit multiple companies in tech and security. Copycats will follow the same playbook with other AI and SaaS platforms that allow open organization invites.
2. Tell your team now. If anyone receives an unexpected invite to a ChatGPT organization, they should not accept it. They should report it to security first.
3. Audit what you have already joined. Check whether your name sits inside any OpenAI organization you do not recognize, and confirm your company's real workspace with IT.
4. Treat the inviter, not just the email, as the trust signal. A genuine email from OpenAI does not mean a genuine invite from your employer. Verify who created the workspace.

The uncomfortable lesson here is bigger than one campaign. As more work moves into AI workspaces, attackers are learning that they do not need to break the platform. They just need to borrow its trust for a moment.

And a single overlooked line in a perfectly real email is all it takes to hand them the keys.

Source: BleepingComputer