Someone is creating OpenAI organizations that impersonate real companies and inviting their employees to join. It’s a clever social engineering angle, and cybersecurity firms are in the crosshairs.
Push Security discovered the campaign — they’re calling it “Poisoned Tenant” — after their own employees received invitations to join an OpenAI workspace called “Push Security Inc.” The twist? The invite was real. It came from OpenAI’s actual notification system, passed email authentication, and looked identical to a normal ChatGPT workspace invitation.
The attacker had created the tenant using Gmail addresses, not the company’s actual domain. OpenAI does include a small warning that the inviter’s domain doesn’t match, but it’s easy to miss — just one line inside a legitimate-looking email.
Push Security’s VP of R&D, Luke Jennings, accepted one of the invitations to see what would happen. He was immediately given Owner privileges in the fake organization. Inside, he found a single attacker-controlled account posting as the company’s CEO, Adam Bateman. A Visa credit card was already attached to billing, adding credibility.
The project workspace was empty — no chats, no projects. But that’s the point. The attackers want employees to start using it as if it were their real corporate ChatGPT instance. Once they do, anything typed into prompts — source code, internal documents, customer data, security research — becomes accessible to the attacker.
As Push Security noted, someone who just wants to spray scam content doesn’t bother researching individual employees, naming organizations after the target, or attaching a credit card. That effort only pays off if people actually join and start using the workspace.
What makes this particularly dangerous is that it bypasses traditional email security controls. The invitations come from OpenAI’s own infrastructure. They’re not phishing emails from a lookalike domain — they’re real platform notifications for a fraudulent tenant.
Push Security recommends training employees to verify unexpected organization invitations and actively monitoring SaaS organization memberships. OpenAI hasn’t commented yet on whether additional safeguards are planned.
