LIVE FEED
MEDIUM Runaway AI Code Review Agents Burn $41K in Adversarial Disagreement Loop // HIGH Poisoned Tenant Attack Abuses OpenAI Workspaces to Target Cybersecurity Firms // FIRST LOOK First Look: OpenAI Launches GPT-5.6 Lineup with Enhanced Agentic and Cybersecurity … // FIRST LOOK First Look: Anthropic's Claude Mythos 5 Released Under U.S. Government Controlled Access … // MEDIUM 6,000 Prompt Injection Attempts Fail Against Frontier Model — But Risks Remain // FIRST LOOK First Look: OpenAI GPT-5.6 Released Under White House-Directed Controlled Access Program // FIRST LOOK First Look: GitHub Copilot Agentic Harness Evaluated Across Models and Tasks // FIRST LOOK First Look: Anthropic Tests Mobile Remote Control for Claude Cowork Agentic Desktop Tasks // HIGH Malware Embeds Policy-Triggering Text to Evade LLM-Based Security Scanners // FIRST LOOK First Look: OpenAI Launches Jalapeño Custom Inference Chip Built with Broadcom //
ATLAS OWASP HIGH Significant risk · Prioritise patching LLM Security Industry News Supply Chain RELEVANCE ▲ 7.2

Poisoned Tenant Attack Abuses OpenAI Workspaces to Target Cybersecurity Firms

SOURCE BleepingComputer ↗
TL;DR HIGH
  • What happened: Attackers create fake OpenAI tenants impersonating real companies to harvest sensitive employee data via ChatGPT.
  • Who's at risk: Cybersecurity and technology sector employees are most exposed due to targeted use of work email addresses and impersonation of their own organisations.
  • Act now: Train employees to verify the inviter's email domain before accepting any OpenAI organisation invitations · Establish an internal policy requiring out-of-band confirmation before joining any new ChatGPT workspace · Audit existing OpenAI tenant memberships to identify any unauthorised or unrecognised organisations employees have joined
Poisoned Tenant Attack Abuses OpenAI Workspaces to Target Cybersecurity Firms

Overview

A novel social engineering campaign dubbed ‘Poisoned Tenant’ is targeting cybersecurity and technology firms by exploiting OpenAI’s legitimate workspace invitation system. Threat actors register fraudulent ChatGPT organisations that impersonate real companies, then invite specific employees — identified through prior reconnaissance — to join them. Because invitations originate from OpenAI’s own notification infrastructure ([email protected]) and pass standard email authentication (SPF/DKIM/DMARC), they are virtually indistinguishable from genuine workspace onboarding emails.

The campaign was discovered by Push Security after several of their own employees received invitations to join a ChatGPT organisation named “Push Security Inc.” — one they had not created.

Technical Analysis

The attack chain is straightforward but effective:

  1. Tenant Registration: Attackers create an OpenAI organisation using personal Gmail accounts, naming it to match the target company.
  2. Targeted Invitations: Work email addresses of specific employees are used, suggesting prior OSINT or data-broker sourcing.
  3. Legitimate Delivery Vector: OpenAI sends the invitation on the attacker’s behalf from its own mail infrastructure, bypassing email security controls.
  4. Impersonation Inside the Workspace: Upon joining, victims encounter an attacker-controlled account posing as the company’s CEO, with pre-staged content designed to elicit sensitive information.
  5. Privilege Escalation by Design: Invited employees are granted Owner-level privileges, potentially allowing further manipulation of the tenant or invitation of additional targets.

OpenAI does include a domain-mismatch warning in the invitation email, but it appears as a low-prominence single line, easily overlooked.

Framework Mapping

  • AML.T0012 (Valid Accounts): Attackers abuse legitimate OpenAI account creation to establish a trusted operational base.
  • AML.T0047 (ML-Enabled Product or Service): The attack weaponises OpenAI’s ChatGPT platform infrastructure as the delivery mechanism.
  • AML.T0057 (LLM Data Leakage): The ultimate objective is inducing victims to submit sensitive corporate data into an attacker-monitored LLM workspace.
  • LLM06 (Sensitive Information Disclosure): Employees interacting with the fake workspace may inadvertently expose proprietary information.
  • LLM09 (Overreliance): The attack exploits implicit trust users place in familiar SaaS platforms, particularly enterprise AI tools.

Impact Assessment

The campaign specifically targets cybersecurity and technology companies — sectors whose employees routinely handle sensitive vulnerability data, client intelligence, and internal security tooling. An employee who submits details of an ongoing incident, a security assessment, or internal architecture into the fraudulent workspace would be providing high-value intelligence directly to attackers. The use of Owner-level privileges also means a compromised employee could inadvertently invite colleagues, amplifying the attack’s reach within an organisation.

Mitigation & Recommendations

  • Verify inviter identity out-of-band: Never accept OpenAI workspace invitations without confirming directly with the sender via a separate channel.
  • Check the inviter’s email domain: OpenAI’s warning about domain mismatches should be treated as an immediate red flag requiring investigation.
  • Establish an approved-workspace registry: Organisations should document and communicate which AI platform tenants employees are authorised to join.
  • Security awareness training: Include AI platform social engineering scenarios in phishing simulation programmes.
  • Monitor OpenAI organisation memberships: Periodically audit which ChatGPT workspaces employees are members of.
  • Request OpenAI platform controls: Advocate for stronger tenant verification and domain-matching enforcement at the platform level.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.