A new phishing campaign is abusing OpenAI’s organization invite system to impersonate legitimate companies and lure employees into joining attacker-controlled ChatGPT workspaces. Discovered by Push Security and dubbed the “Poisoned Tenant” campaign, the operation has primarily targeted cybersecurity and technology firms using carefully researched employee email addresses.
What makes the attack particularly effective is that the invitation emails originate from OpenAI’s legitimate infrastructure and pass standard email authentication checks. Sent from OpenAI’s official notification system, the emails appear authentic, with only a subtle warning indicating that the inviter’s email domain does not match the recipient’s organization.
Once victims accept the invitation, they are added to a fake OpenAI organization impersonating the targeted company. In one observed case, attackers had already assigned owner-level privileges to invited users, attached a payment method to the workspace, and seeded the tenant with a Gmail-based account impersonating a company executive to increase legitimacy.
Researchers warn that the likely goal is not immediate credential theft, but long-term data harvesting. By convincing employees to treat the malicious workspace as legitimate, attackers could potentially capture sensitive information entered into ChatGPT prompts, including proprietary code, internal documents, customer data, and strategic communications.
The campaign highlights a growing class of SaaS-based abuse where attackers leverage trusted platform features—such as official invitations and notification systems—to bypass traditional phishing defenses and directly manipulate enterprise collaboration environments.
