Scammers have launched a coordinated campaign impersonating OpenAI organizations to compromise credentials at major cybersecurity firms. The attackers, in what researchers dubbed the “Poisoned Tenant” campaign, created fake OpenAI workspaces using legitimate-looking company names and Gmail addresses to trick employees into sharing sensitive data through ChatGPT interfaces. Push Security, a prominent cybersecurity company, discovered the scheme after its own employees received invitations to OpenAI organization workspaces that appeared to come from legitimate business partners—invitations that actually originated from threat actors.
The attack is particularly insidious because the fraudulent invitations were sent from OpenAI’s actual notification email address ([email protected]) and passed standard email authentication checks. This means employees who checked email headers would find no obvious red flags; the messages appeared to come from OpenAI’s legitimate infrastructure, making social engineering far more effective than typical phishing attempts. What makes this campaign especially concerning is its precision targeting of the cybersecurity industry itself. Rather than casting a wide net, attackers conducted reconnaissance to identify specific employees at security firms and then sent customized invitations designed to exploit professional trust and curiosity about new collaboration tools.
Table of Contents
- How Attackers Impersonate Organizations Through OpenAI Tenants
- The Role of Email Authentication in Creating Legitimacy
- Targeting the Cybersecurity Industry for Maximum Impact
- Beyond Organization Impersonation: Malicious Domains and Credential Harvesting
- The Broader Credential Harvesting Ecosystem Targeting OpenAI
- OpenAI’s Investigation and Findings
- Real-World Implications for Security Professionals and Enterprises
- Frequently Asked Questions
How Attackers Impersonate Organizations Through OpenAI Tenants
The core technique behind this campaign exploits OpenAI’s workspace and organization features. Attackers created OpenAI organizations and tenants using Gmail addresses instead of legitimate company domains—for example, a Gmail account designed to look similar to a real company domain. Once the fake organization was established, invitations sent from it could leverage OpenAI’s legitimate infrastructure to reach target employees. When an employee receives an invitation to join an OpenAI organization, they typically assume it comes from a trusted partner or colleague. In this campaign, the invitations appeared to originate from well-known companies, with the fake tenant configured to mirror the branding and presentation of the real organization.
Employees who accepted invitations were directed to ChatGPT workspaces where they were encouraged to share files, project details, or other sensitive information that attackers could then harvest. Once inside the workspace, threat actors could access conversations, uploaded documents, and project files that might contain proprietary information, security research, or customer data. The attack’s success hinged on a specific vulnerability in how humans perceive email authenticity. The legitimate OpenAI notification address gave the invitations credibility, and the customized targeting meant employees had a plausible business reason to expect such an invitation. This is a significant departure from mass phishing, which relies on volume and the assumption that some recipients will fall for generic lures.
The Role of Email Authentication in Creating Legitimacy
email authentication technologies like SPF, DKIM, and DMARC are designed to prevent exactly this kind of attack, yet the threat actors managed to bypass employee skepticism despite legitimate authentication headers. This happened because the emails were sent from OpenAI’s legitimate infrastructure—attackers did not forge OpenAI’s email servers or bypass authentication. Instead, they used OpenAI’s own services to send invitations, meaning the emails were literally authentic in a technical sense. The danger here lies in employee behavior. Most people do not habitually check email authentication headers when they receive messages from recognized brands.
When an email appears to come from “OpenAI,” passes authentication, and invites them to collaborate on something that sounds relevant to their work, the barrier to clicking is low. Employees in the cybersecurity industry, despite their technical knowledge, are not immune to social engineering attacks that exploit professionalism and trust in established platforms. A critical limitation of email authentication is that it only verifies that a message came from the claimed server—it says nothing about whether the legitimate server was misused. If an attacker successfully creates an account on OpenAI and sends an email through OpenAI’s systems, that email will authenticate correctly. This is why organizations cannot rely on email authentication alone to detect social engineering.
Targeting the Cybersecurity Industry for Maximum Impact
The choice of cybersecurity firms as primary targets reveals attackers’ strategic thinking. Cybersecurity employees have access to sensitive information including vulnerability research, customer data, client lists, and internal security practices. A successful breach of credentials at a cybersecurity firm does not just compromise that company; it potentially exposes their clients and downstream effects ripple through entire supply chains. Push Security’s discovery of the campaign indicates that the attackers conducted targeted reconnaissance before launching invitations.
Rather than sending tens of thousands of random OpenAI organization invites, they identified specific employees at specific security firms and crafted invitations designed to appear relevant to their roles. One employee at Push Security might receive an invitation claiming to come from a partner organization or a known contact, increasing the likelihood they would accept without extensive verification. The attacks have extended beyond a single firm. Researchers confirmed that multiple cybersecurity and technology companies received similar fraudulent invitations, suggesting the campaign is ongoing and systematic. Attackers understand that security professionals are attractive targets, and they have invested effort in making their lures appear credible and personalized rather than relying on generic mass-email attacks.
Beyond Organization Impersonation: Malicious Domains and Credential Harvesting
The threat landscape expanded further following the launch of OpenAI’s Sora video generation tool. Cybercriminals deployed additional attacks using malicious domains that impersonated OpenAI services and promoted Sora access. These attacks combined credential harvesting with cryptocurrency fraud schemes, targeting users who wanted to try the new tool. In credential harvesting attacks of this type, users are directed to a fake OpenAI login page or sign-up form.
They enter their email address and password, thinking they are creating an account or signing in legitimately. Once the attacker captures these credentials, they can attempt to access the victim’s real OpenAI account, bypass two-factor authentication if it is configured incorrectly, or sell the credentials to other threat actors. This is fundamentally different from the tenant impersonation attacks, though both exploit user trust in OpenAI’s brand and infrastructure. The comparison between the two attack vectors reveals a tradeoff: tenant impersonation requires more precision and reconnaissance but yields richer rewards in terms of data access, while credential harvesting is easier to scale but depends on converting victims to actual account takeovers. An attacker using credential harvesting can operate broadly against any OpenAI user globally, whereas the tenant impersonation campaign required research into specific employees at specific companies.
The Broader Credential Harvesting Ecosystem Targeting OpenAI
Cybercriminals have long recognized that OpenAI accounts are valuable targets. An OpenAI account provides access to ChatGPT, which many users have integrated with other business tools and platforms. Compromised accounts can be misused for lateral movement into customer networks, as attackers can impersonate the account holder to gain trust and access. The scale of credential harvesting targeting OpenAI users has grown substantially, particularly as OpenAI’s services have become more integrated into business workflows.
Threat actors register malicious domains with names close to openai.com, set up fake sign-up pages, or run credential phishing campaigns via email. Some of these campaigns have been detected and reported by security researchers; others likely go undetected for weeks or months. A key limitation in defending against these campaigns is that users themselves become the vulnerability. If an employee is tricked into entering credentials on a fake login page, even the strongest technical protections at the company level cannot prevent the initial credential compromise. Organizations can implement strict browser policies, detect suspicious sign-ins, and require hardware security keys, but determined social engineering attacks will still find victims.
OpenAI’s Investigation and Findings
OpenAI received reports of credential theft and conducted an investigation into whether its systems had been compromised. The company found no evidence of a breach of OpenAI’s infrastructure or databases. This finding is significant because it clarifies that the attacks are not the result of OpenAI’s security being defeated; rather, they exploit OpenAI’s legitimate features and combine social engineering with spoofed infrastructure.
The absence of a confirmed breach does not minimize the severity of the attacks. Attackers accomplished their goals through social engineering and feature misuse rather than through technical exploitation. In some cases, this is actually more difficult to prevent, because it does not require finding and patching a security vulnerability. It requires changing human behavior and organizational processes.
Real-World Implications for Security Professionals and Enterprises
The targeting of the cybersecurity industry itself highlights a troubling irony: companies that specialize in preventing attacks can still fall victim to well-executed social engineering. This is not a failure of technical competence but rather a recognition that even security-conscious employees have limited time and attention to scrutinize every collaboration request or invitation.
For enterprises, the lesson is that no amount of technical security can eliminate the need for awareness and verification procedures. Before accepting an organization invite from a third party, employees should verify the request through an independent channel—a phone call, a message through an existing secure channel, or a check against a known contact list. The attacks described in this campaign succeeded specifically because they bypassed this verification step through social engineering and perceived legitimacy from OpenAI’s brand and infrastructure.
Frequently Asked Questions
How can I verify that an OpenAI organization invite is legitimate?
Request verification through a separate communication channel with the person or organization allegedly sending the invite. Check the sender’s email domain carefully, though note that invitations are technically sent from OpenAI’s servers ([email protected]). Look for any request to share sensitive data or login credentials, which is a major red flag. When in doubt, contact your IT security team before accepting.
What happens if I already accepted a fraudulent OpenAI organization invite?
Immediately change your OpenAI password and enable two-factor authentication if you haven’t already. Review your account activity in the OpenAI security settings to see if any files were downloaded or conversations were accessed by unauthorized parties. Notify your company’s security team, as they may need to audit what information was shared and notify affected parties.
Did OpenAI’s security get breached in this attack?
No. OpenAI investigated the reports and found no evidence of a breach of their systems or databases. The attacks leveraged OpenAI’s legitimate features and social engineering rather than exploiting a technical vulnerability in OpenAI’s infrastructure.
Are other AI platforms vulnerable to similar attacks?
Yes, any platform that allows organization or team creation and sending invitations could be misused for similar social engineering attacks. Attackers have also impersonated other services using malicious domains and fake login pages, so the problem extends beyond OpenAI.
What makes cybersecurity professionals susceptible to these attacks?
Even security-conscious employees have limited time to scrutinize every collaboration request. Attackers used reconnaissance to send targeted, personalized invitations that appeared relevant to employees’ roles, and the use of OpenAI’s legitimate infrastructure made the requests appear authentic.
Should organizations block OpenAI access to prevent these attacks?
Blocking OpenAI entirely is overly restrictive and does not address the underlying social engineering problem. Better approaches include requiring verification of third-party invites through separate channels, training employees to recognize social engineering, and monitoring for suspicious account activity.
