Cybersecurity Firms Hit by Fraudulent OpenAI Phishing Campaign

A new OpenAI phishing campaign is targeting employees at cybersecurity and technology companies, and the invitations look entirely real. Attackers create fraudulent ChatGPT organizational workspaces that impersonate legitimate businesses, then send employees official-looking invitations to join them. The emails arrive from OpenAI's own notification infrastructure, pass standard email authentication checks, and are visually identical to genuine workspace invites.

The campaign, dubbed "Poisoned Tenant" by the security firm that discovered it, marks a significant shift in how attackers approach data theft. Rather than spoofing a brand's email domain or building a fake login page, these actors abuse a real platform's own invitation system to reach targets.

What the Attack Looks Like

Employees at the targeted firm received invitations to join an OpenAI organization that bore their own company's name. The invite emails came from noreply@tm.openai.com,a legitimate OpenAI address, and passed DKIM and SPF checks. Nothing in the email itself indicated anything was wrong.

OpenAI does include a small notice flagging when the inviting account's email domain does not match the recipient's company domain. That warning appears as a single line buried within an otherwise normal-looking email, and easy to miss.

When a researcher accepted one of the invitations, the full picture came into view. The fake tenant contained one attacker-controlled account using a Gmail address, configured to pose as the targeted company's CEO. Every invited employee had been granted Owner privileges, giving them full administrative access over the fraudulent workspace.

The researcher could also see who else had been invited. None of the targeted employees had joined. The attacker had already attached a Visa credit card to the organization's billing account, allowing invited users to access premium ChatGPT features without any friction that might raise suspicion.

Why This Campaign Is More Dangerous Than Standard Phishing

Standard phishing attacks rely on urgency, deception, and imitation. This campaign does something more calculated. The attackers researched specific employees at each target company and invited them using their work email addresses. They named the fake organization after the victim company, set up an account impersonating the CEO, and added a payment method to strip away another potential warning sign.

That level of preparation does not pay off by sending spam through a trusted channel. The investment only makes sense if targeted employees actually join the workspace and start using it as a corporate AI tool.

That is exactly what the attackers appear to be counting on. Employees who use ChatGPT at work routinely feed it sensitive material: source code, internal documents, security research, customer data, and strategic plans. An attacker-controlled workspace captures all of it.

This type of OpenAI phishing attack does not require malware, a compromised mail server, or a spoofed domain. The infrastructure belongs to a legitimate, trusted platform. That is precisely what makes it effective.

A Broader Pattern of SaaS Abuse

The Poisoned Tenant campaign fits into a growing pattern of attackers exploiting the invitation and notification systems built into SaaS platforms. Because the messages originate from the platform's own servers, they tend to bypass email security controls that would catch traditional phishing.

OpenAI tenant phishing is a particularly sharp version of this threat. AI platforms sit at the intersection of convenience and sensitivity. Employees share things with them that they might not write in an email. Attackers who can insert themselves into a trusted workspace gain access to a data stream that conventional corporate espionage cannot easily replicate.

The security firm that uncovered this campaign confirmed that multiple other companies in cybersecurity and technology received similar invitations. The broader scope of the campaign remains unclear. OpenAI has not confirmed receiving additional reports or announced plans to add safeguards against fraudulent tenant creation.

What Organizations Should Do

The mitigations here are practical and achievable, even without waiting for the platform to act. Security and IT teams should treat unexpected SaaS organization invitations the same way they treat unexpected login links: verify before accepting.

Employees should confirm any invitation to join a new organizational workspace through a separate, trusted channel before they click. A quick message to an IT administrator or a check with whoever manages AI tools costs seconds and can prevent a significant data exposure.

Organizations should also monitor SaaS membership changes. Most enterprise-grade platforms log when accounts join or receive invitations from external organizations. Reviewing those logs regularly can surface suspicious activity before it becomes a problem.

AI tools carry real productivity value, but that value comes with a corresponding risk. Employees share things with AI platforms that they would protect carefully in other contexts. An OpenAI phishing campaign that exploits that habit, without triggering a single security alert along the way, is a serious threat that deserves a serious response.