Attackers Set Up Fake OpenAI Tenants to Harvest Corporate ChatGPT Data

Push Security details a campaign where attackers create legitimate-looking OpenAI tenants impersonating a target company to intercept sensitive employee conversations with ChatGPT.

Identity & Access Threat Intelligence Tools

Push Security published research on a campaign it calls a “poisoned tenant” attack targeting OpenAI’s business workspace feature. Attackers register a new OpenAI tenant configured to display a target company’s name, then invite specific employees to join it. Because OpenAI’s invitation emails are sent directly from OpenAI’s own domain, and display the (spoofed) company name, the invite looks fully legitimate to the recipient.

Once an employee accepts the invite, they land in the tenant with what appears to be administrative visibility — including the ability to see other pending invitations sent to colleagues, reinforcing the impression that this is their company’s real, official workspace. Attackers reportedly go as far as attaching a valid payment card to the tenant to make it look properly provisioned rather than throwaway infrastructure.

The actual goal isn’t credential theft in the traditional sense — it’s getting the employee to believe they’re using their company’s sanctioned ChatGPT environment and to start conversing normally, including pasting internal documents, code, or business-sensitive information into prompts. Since the attacker controls the tenant, every conversation the employee has is visible to them, turning what looks like a private, corporate-sanctioned AI session into a live data exfiltration channel.

This attack works because it abuses a legitimate platform feature rather than exploiting a vulnerability, making it hard to catch with traditional email security tools. Security teams should treat unsolicited SaaS tenant invitations — even from verified sending domains — as a phishing vector, and should have a documented, verifiable process for employees to confirm which AI tenant is actually sanctioned by IT before they start feeding it corporate data.

Why it matters: Employees increasingly treat their org's ChatGPT workspace as trusted internal infrastructure and paste sensitive data into it — if you can't verify tenant legitimacy at invite time, assume some fraction of your team is one convincing invite email away from leaking data to an attacker-controlled tenant.

Read source →