Skip to content

Poisoned Tenant: Attackers Create Fake OpenAI Organizations for Data Harvesting

The Bottom Line: Attackers create fraudulent OpenAI organizations under real company names and send invitations from OpenAI’s infrastructure to trick authorized employees into using them and intercept sensitive data they enter.

Security researchers from Push Security have uncovered an attack campaign in which perpetrators create fake OpenAI organization accounts under real company names and send email invitations via OpenAI’s official infrastructure to harvest sensitive corporate data. The workspaces controlled by the attackers are equipped with administrative rights and stored credit cards to suggest legitimacy.

The attack method, termed “Poisoned Tenant,” exploits OpenAI’s trustworthiness as an attack vector. Attackers create organization accounts within the OpenAI platform that bear the names of real businesses – in the examined case, a fake organization was registered in the name of Push Security Inc. From these compromised accounts, the perpetrators send targeted invitations to business email addresses of employees of the imitated companies.

A key advantage for the attackers: the invitations are sent directly via OpenAI’s official infrastructure (noreply@tm.openai.com) and therefore pass all common email authentication checks such as SPF, DKIM, and DMARC. Security filters typically do not block the messages. Visually, the invitations are identical to legitimate notifications about joining a ChatGPT workspace.

Push Security researcher Luke Jennings accepted such an invitation and documented the infrastructure: the fake organization was configured with a Gmail account controlled by the attackers under the name of the real business executive. Invited employees automatically received administrative owner rights, and a Visa credit card was already stored in the billing section – a measure that both increases credibility and enables premium features without triggering user warnings about missing payment data.

The goal of this campaign is continuous data harvesting: when employees regularly use the supposed workspace, the attackers have access to all entered data and prompts – particularly sensitive information such as source code, internal documents, customer data, or strategic plans. Push Security points out that this effort (research into target companies, naming after real firms, storing credit cards) is only undertaken for targets that are highly sensitive and regularly work with critical data.

The approach reflects a broader trend: attackers increasingly abuse internal notification and invitation functions of SaaS platforms to circumvent traditional email security barriers and exploit trust in established services.


Source: www.it-daily.net · Published 1 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: