Security firm Push Security published research documenting a novel and well-resourced attack campaign targeting corporate ChatGPT usage. The attack leverages a legitimate OpenAI feature — the ability to create a tenant and invite users to it — to impersonate a company’s official OpenAI workspace and intercept employee conversations.
The attack flow is straightforward: attackers register an OpenAI tenant using the target company’s name, then send invitation emails to specific employees. Because the invitation arrives from an official OpenAI domain and displays the company name, it looks entirely legitimate. To further build credibility, the attackers attach a real credit card to the tenant so billing details appear in order.
Once an employee accepts the invitation, they see what appears to be a company-managed ChatGPT workspace — complete with admin-level permissions and visibility into other employees who have been invited. From that point, any conversation the employee has in that tenant is fully visible to the attackers.
Push Security assesses that the goal is to passively collect sensitive corporate data that employees share with ChatGPT: internal processes, code, customer data, financial details, and anything else that routinely ends up in AI prompts. There is no malware, no phishing page, and no credential theft — just a social engineering play that exploits trust in a familiar product.
The attack is a direct consequence of AI tools becoming a standard part of the work environment before clear governance policies are in place. If your employees don’t know what your company’s official OpenAI organization looks like — or whether one even exists — they have no way to recognize this kind of impersonation.