Threat actors are leveraging **OpenAI's** platform to launch a cunning social engineering campaign, dubbed 'Poisoned Tenant' by **Push Security**. This campaign involves creating fraudulent **OpenAI** tenants that meticulously impersonate legitimate companies, then sending invitations to their employees. ### The Mechanics of Deception **Push Security** uncovered the campaign after several of its employees received invitations to an **OpenAI** organization named 'Push Security Inc.' While the invitation itself was legitimate, originating directly from **OpenAI's** notification address ([email protected]) and passing email authentication checks, the underlying **ChatGPT** tenant had been established by an attacker using generic Gmail addresses.  Further investigation by **Push Security** revealed that other companies, particularly within the cybersecurity and technology sectors, have also been targeted with similar invitations. ### Attacker-Controlled Organizations The invitations were highly targeted, sent to specific employees' work email addresses, indicating prior reconnaissance by the attackers. Although **OpenAI** includes a subtle warning about the inviter's email domain not matching the recipient's company domain, this crucial detail is easily overlooked within the legitimate-looking email. **Luke Jennings**, VP, Research & Development at **Push Security**, accepted one of these invitations to understand the attack's full scope. Upon acceptance, he was added to the fraudulent organization, which not only impersonated **Push Security** but also featured a single attacker-controlled account, using a Gmail address, posing as the company's CEO, **Adam Bateman**. Intriguingly, the invited employees were granted 'Owner' privileges within the fake organization, conferring administrative control over the tenant. This access allowed **Push Security** to confirm that none of the other targeted employees had joined. They also discovered a Visa credit card already attached to the organization's billing account, adding another layer of perceived legitimacy.  ### The Objective: Data Harvesting While the fake **ChatGPT** project was initially empty, **Push Security** believes the attackers' primary goal is to entice employees into using this fraudulent workspace as if it were a legitimate corporate platform. Any sensitive information submitted through prompts – including source code, internal documents, customer data, or strategic plans – would then be accessible to the attackers. **Push Security** emphasizes that the attackers' investment in reconnaissance, naming the organization after the target, and attaching a payment method indicates a sophisticated scheme beyond simple spam. This commitment suggests a clear intent to foster trust and encourage active engagement with the compromised platform. ### A Broader SaaS Security Concern This campaign highlights a growing trend of attackers exploiting legitimate invitation and notification features embedded within Software-as-a-Service (SaaS) platforms. Unlike conventional phishing, these invitations originate from the platform's own trusted infrastructure, making them highly effective at bypassing standard email security controls. To mitigate the risks associated with such attacks, organizations are advised to implement robust employee training programs focused on verifying unexpected organization invitations. Additionally, continuous monitoring of SaaS organization memberships is crucial for detecting and responding to potential compromises.