Push Security published research on a campaign it calls a “poisoned tenant” attack targeting OpenAI’s business workspace feature. Attackers register a new OpenAI tenant configured to display a target company’s name, then invite specific employees to join it. Because OpenAI’s invitation emails are sent directly from OpenAI’s own domain, and display the (spoofed) company name, the invite looks fully legitimate to the recipient.
Once an employee accepts the invite, they land in the tenant with what appears to be administrative visibility — including the ability to see other pending invitations sent to colleagues, reinforcing the impression that this is their company’s real, official workspace. Attackers reportedly go as far as attaching a valid payment card to the tenant to make it look properly provisioned rather than throwaway infrastructure.
The actual goal isn’t credential theft in the traditional sense — it’s getting the employee to believe they’re using their company’s sanctioned ChatGPT environment and to start conversing normally, including pasting internal documents, code, or business-sensitive information into prompts. Since the attacker controls the tenant, every conversation the employee has is visible to them, turning what looks like a private, corporate-sanctioned AI session into a live data exfiltration channel.
This attack works because it abuses a legitimate platform feature rather than exploiting a vulnerability, making it hard to catch with traditional email security tools. Security teams should treat unsolicited SaaS tenant invitations — even from verified sending domains — as a phishing vector, and should have a documented, verifiable process for employees to confirm which AI tenant is actually sanctioned by IT before they start feeding it corporate data.