You get an email from OpenAI. It looks real because it is real. Same sender, same formatting, passes the usual email checks. The catch: an attacker created a fake ChatGPT “organization” named after your company and invited you in. Push Security calls this the “Poisoned Tenant” play—abusing OpenAI’s legit invite flow to land a high-trust lure that can slide past common defenses . If you accept, you’re not just clicking a bad link. You’re stepping into the attacker’s workspace—and anything you type, upload, or build there can become the prize .
How the “Poisoned Tenant” invite actually works (and why it feels so safe)
The “Poisoned Tenant” trick works because nothing about the email has to be fake.
Attackers create a real ChatGPT organization (a tenant/workspace) inside OpenAI, name it after your company, then send OpenAI organization invites to real employees using their work email addresses. Push Security tracked this pattern after staff got invited into an “OpenAI organization” named after their business, even though it was attacker-created.
The mechanics, step by step (what happens behind the scenes)
Here’s the flow that makes OpenAI organization invite phishing feel “safe”:
- The attacker creates a new OpenAI tenant and sets the org name to something that looks official (your company name, your brand, your security team name).
- They invite employees directly (not random addresses). That targeting is the point—these invites go to people who would plausibly be added to a workspace.
- OpenAI sends the invite email from its real notification system—in the campaign described, the messages came from [email protected] and looked identical to standard workspace invitations.
- Because the email is generated by OpenAI’s infrastructure, it can pass email authentication checks that many defenses rely on (the same “this sender is legit” signals your gateway and users are trained to trust).
This is why it slips past the usual “hover the link, check the sender, look for typos” routine. The platform is doing the sending.
The subtle tell most people miss: the domain mismatch warning
OpenAI can include a warning that the inviter’s email domain doesn’t match the recipient’s company domain—but the problem is presentation. In real examples, it shows up as a single line inside an otherwise legitimate invite email. Easy to skim past, especially when the rest of the message looks exactly like every other SaaS invite you’ve ever accepted.
Why this is an “AI phishing trap,” not old-school phishing
Classic phishing tries to pull you onto a fake site.
A poisoned-tenant invite pulls you into a real ChatGPT workspace that an attacker controls. Once you’re inside, the “phish” isn’t a login page—it’s the normal work you do when you think you’re in your company’s AI environment.
That’s what makes a legitimate OpenAI invite email the most dangerous part of the chain: it creates trust before you’ve done anything risky.
The credibility tricks: researched targets, admin roles, and even a credit card
Once you understand you can be pulled into a real workspace, the next question is: why would smart people treat it like it’s legitimate?
Because the attackers don’t act like typical spray-and-pray phishers. They spend effort on credibility signals that match how real ChatGPT workspace rollouts look inside companies.
Trick #1: They pick specific people (not a big list)
In the Poisoned Tenant campaign Push Security analyzed, invites went to specific employees at the target company, suggesting the attacker researched who works there before sending the OpenAI organization invite.
That detail matters. When the “right” people get invited—security, engineering, IT, leadership—it feels like an internal rollout, not a scam.
Trick #2: They hand you the keys (Owner privileges)
Here’s the move that really messes with your instincts: invited users can be assigned Owner privileges inside the attacker-controlled ChatGPT organization. Push Security reported the invited employees were assigned Owner, giving them admin-level permissions over the tenant.
Owner access creates a false sense of legitimacy:
- “If I’m an Owner, this must be our real workspace.”
- “If this were malicious, why would they give me admin control?”
The answer is simple: control can be part of the lure. It lowers suspicion and nudges you to start “setting things up” like you normally would.
Trick #3: They add billing so it looks established
Attackers have also attached payment details to the organization. In the same campaign, a Visa credit card was already connected to the tenant’s billing account, which added legitimacy and removed friction to use paid features.
It’s subtle psychology:
- No “add a card” prompt
- No awkward “who’s expensing this?” moment
- A workspace that looks like someone already did the admin work
Push Security’s read is blunt: an attacker who just wants to spam people doesn’t usually go this far—naming the org after the target, researching employees, and attaching a card only pays off if targets actually join and start working inside the workspace.
What attackers get if you join: prompts are the data leak
The “Owner access” and “billing is already set up” details aren’t the end goal. They’re there to get you comfortable enough to start using the workspace.
Push Security’s view is that the objective is to convince employees to treat the attacker-controlled ChatGPT workspace as a legitimate corporate space, then collect anything sensitive that gets submitted in chats or projects.
The real payload: what people naturally paste into ChatGPT
Once someone believes “this is our company ChatGPT org,” normal work habits kick in. That’s where the leak happens.
Push specifically calls out how sensitive prompt data can be on an AI platform, including: source code, internal documents, customer data, security research, and strategic plans.
Here’s how that typically shows up in real workflows:
- “Quick review” prompts: pasting a config, log snippet, or policy text to get feedback.
- “Can you improve this?” prompts: dropping in internal docs, memos, or customer-facing templates.
- “Help me debug” prompts: sharing code, stack traces, API payloads, or architecture notes.
- Uploads for speed: attaching files because it’s faster than rewriting context.
None of that feels like “data exfiltration” while you’re doing it. It feels like Tuesday.
Why this isn’t a “stolen password” phish
This attack doesn’t need you to type credentials into a fake page.
It needs you to work like normal in the wrong place—inside an attacker-controlled tenant—so the content of your prompts becomes the asset. Push Security frames it plainly: the attacker’s investment only pays off if employees join and start using the organization.
That mindset shift is the whole trap. You’re not being tricked into logging in. You’re being tricked into trusting where you’re already logged in.
A practical defense plan: verify, train, monitor, and reduce what can leak
If this attack works by getting people to behave normally inside the wrong tenant, your defenses have to focus on verification and containment, not just “block bad links.”
Push Security’s own recommendations are straightforward: train employees to verify unexpected organization invitations and monitor SaaS organization memberships, because attackers are abusing legitimate invite/notification features.
1) Verify unexpected OpenAI organization invites (out-of-band)
Treat any unexpected ChatGPT workspace / OpenAI organization invitation like a calendar invite from a stranger: it might be real, but it’s not automatically right.
Use a quick internal checklist:
- Ask in your known channel (Slack/Teams/email thread you already have) “Did we create a new ChatGPT org and invite people?”
- Confirm the inviter identity: who is the actual admin account sending invites, and is it a company-controlled address?
- If you didn’t request it, don’t accept it until IT/security confirms it’s part of an approved rollout.
2) Train people on the easy-to-miss warning line
OpenAI includes a warning when the inviter’s email domain doesn’t match the recipient’s company domain, but it can appear as just a single line inside an otherwise normal invite.
Training that works is specific:
- Show employees what the domain-mismatch warning looks like.
- Make it a hard rule: domain mismatch = stop and verify.
3) Monitor SaaS memberships and invitations like you monitor logins
This campaign is part of a broader trend: attackers abusing platform invitation flows.
What to monitor:
- New org memberships for ChatGPT/OpenAI and other SaaS tools
- Pending invites sent to employees
- Users being granted admin/Owner roles unexpectedly
4) Reduce what can leak through prompts and projects
You can’t rely on perfect user judgment, especially when the UI looks normal.
Set “default safe” habits:
- Label what data is never OK to paste into AI tools (customer data, secrets, unreleased strategy, proprietary code).
- Encourage sanitized inputs: remove identifiers, redact secrets, shorten samples.
- Keep an internal “approved AI workspace” list so people know where work should happen.
5) For individuals: don’t hand out your core identity to every tool
If you’re joining new tools or testing invites and you don’t fully trust the workspace owner yet, it helps to not expose your real email and phone by default.
Cloaked is useful here in a practical, non-flashy way: you can use masked emails and phone numbers for signups so your primary contact details aren’t the thing getting harvested or resold if the “invite” turns out to be a trap.


