The Phishing Email Just Got a New Sender
Here's the thing about phishing that nobody talks about enough: it works because of trust, not deception. The email came from [email protected]. It passed SPF, DKIM, and DMARC checks. It looked exactly like every other legitimate SaaS invite you've accepted without thinking about it once in the past three years. That's not a bug in the attack — that's the whole point.
Push Security discovered what they're calling the "Poisoned Tenant" campaign after multiple employees at their company started receiving invitations to join an OpenAI organization named "Push Security Inc." The catch? The tenant had been created by an attacker using a Gmail address. Not a domain-spoofed email. Not a lookalike URL. The actual invitation came from OpenAI's infrastructure, authenticated and delivered through the same channels that deliver every legitimate org invite on the platform.
This is a fundamentally different threat model than what most security teams are prepared for. We've spent years building email gateways, training users to spot suspicious senders, and flagging domain mismatches. None of that matters when the invitation originates from a platform you already trust.
How the Campaign Actually Works
The attack starts with reconnaissance. The threat actors didn't randomly spray invitations — they identified specific employees at Push Security using their work email addresses. That means someone took the time to research who works there, what roles they hold, and which of them would have access to sensitive data. This isn't a script kiddie operation.
Once they had the target list, they created an OpenAI tenant impersonating Push Security. The organization name matched exactly. A single attacker-controlled account posted as CEO Adam Bateman — again, using a Gmail address, but one that would only look suspicious if you actually checked the sender's email domain.
Here's where it gets clever: OpenAI does include a warning that the inviter's email domain doesn't match the recipient's company domain. But it appears as a single line within an otherwise perfectly legitimate invitation email. I've accepted dozens of org invites in my career and never once read that warning line. Most people haven't either.
The invitations targeted employees with work email addresses and granted them Owner privileges — full administrative permissions over the tenant. Anyone who accepted could see other pending invitations and confirm that none of their colleagues had joined yet. A Visa credit card was already attached to the org's billing account, which serves two purposes: it adds legitimacy (real companies pay for ChatGPT), and it removes another potential red flag by enabling premium features without suspicion.
The project within the tenant was completely empty. No existing chats. No prior projects. Nothing. The goal isn't to show you something — it's to get you to use the workspace.
What They're Actually After
Let's be clear about the objective here. The attackers don't want you to click a link, download a file, or enter credentials into a fake login page. They want you to do what employees do every day: paste source code into ChatGPT to debug it, ask the model to summarize internal documents, run security research through prompts, or draft strategic plans using company data.
"An attacker who just wants to spray scam content through a trusted email channel doesn't name the organization after their target, research individual employees, or attach a credit card," Push Security wrote. "That investment only pays off if employees actually join the organization and start using it. And on an AI platform, the data people put into prompts can be extraordinarily sensitive — source code, internal documents, customer data, security research, strategic plans."
Think about what that means for a cybersecurity firm. Their entire business is built on security research, vulnerability data, incident response playbooks, and client engagement details. Every prompt submitted to a ChatGPT workspace becomes part of the tenant's data — and in this case, that tenant is controlled by an attacker.
The empty project is the tell. A legitimate corporate ChatGPT org would have existing conversations, shared projects, documented workflows. An empty workspace with no history is a blank canvas waiting for you to fill it with your own data. The longer employees use the tenant, the more sensitive information flows into the attacker's hands.
This is part of a broader pattern where attackers are finding new ways to compromise AI-powered development environments. For context on how malicious supply chain packages are also targeting AI coding agents with credential stealers, see 73 Malicious Packages Target AI Coding Agents with Self-Replicating Credential Stealer.
Why This Changes How We Think About SaaS Security
The broader implication here is uncomfortable. For years, we've treated platform-originated notifications as inherently trustworthy. If Slack sends you a message from [email protected], it's real. If GitHub invites you to a repo via their notification system, it's legitimate. We've built our entire email security posture around the assumption that platform infrastructure is a trusted channel.
The Poisoned Tenant campaign exploits exactly this assumption. The invitations bypass email security controls because they are legitimate emails from the platform itself. They can't be filtered by sender reputation, domain analysis, or content inspection — because the content is identical to a normal org invite.
This mirrors the same structural weakness that traditional secure email gateways struggle with: when attacks come through channels you've already whitelisted, signature-based and rule-based defenses are blind. Organizations defending against payload-less social engineering attacks face the same fundamental challenge, which is why cybersecurity incident response is pivoting to behavioral AI email protections that analyze intent rather than just message headers.
All affected organizations identified so far are in cybersecurity or technology. That's not accidental. Attackers are prioritizing targets with the highest-value intellectual property — companies whose employees regularly process source code, security research, and confidential strategic data through AI platforms.
This is part of a wider trend of attackers abusing legitimate invitation and notification features built into SaaS platforms. The pattern is clear: instead of fighting your security controls, attackers are using the tools you've already whitelisted against you.
What Defenders Should Actually Do
There's no technical fix for this. OpenAI can add more prominent warnings, but human behavior doesn't change based on UI placement — we've proven that with cookie consent banners and terms-of-service popups for over a decade. The solution has to be behavioral.
First, train employees to verify unexpected organization invitations — not with a generic "be suspicious of emails" message, but with specific guidance: if you receive an invite to join a ChatGPT org named after your company and you didn't initiate it, don't accept. Period.
Second, monitor SaaS organization memberships. If your employees are using ChatGPT for work (and most of them are, whether IT knows it or not), you need visibility into which organizations they're joining. An employee accepting an invite to a fraudulent tenant should trigger the same alert as them installing an unapproved SaaS tool.
Third, and this is the part that's hard to hear: treat platform-originated notifications with the same skepticism you'd apply to any other unsolicited request. The sender address is not proof of legitimacy when the platform itself can be used to create impersonation tenants. The authentication headers are not proof of trust when the platform's invitation system is the attack vector.
The credit card attachment, the Owner privileges, the empty project — these are all signals that a human would recognize as anomalous if they paused long enough to notice them. The problem isn't that the signals are hidden. It's that we've trained ourselves not to look.
The Bigger Picture
Push Security's VP of Research & Development, Luke Jennings, accepted one of the invitations specifically to investigate. What he found was a perfectly constructed trap: a legitimate-looking org, an attached payment method, administrative privileges for invited users, and a completely empty workspace waiting to be filled with corporate data.
The attack doesn't require malware. It doesn't exploit a vulnerability in ChatGPT itself. It exploits the fact that employees trust platform notifications, that security teams have whitelisted OpenAI's email infrastructure, and that the cost of creating a fraudulent tenant is essentially zero.
This isn't going away. The same technique can be applied to any SaaS platform with an invitation system — Slack workspaces, GitHub organizations, Azure AD tenants, Google Workspace domains. The Poisoned Tenant campaign is just the first documented example of someone weaponizing this pattern at scale against high-value targets.
As AI continues to reshape both the offense and defense sides of cybersecurity, understanding these emerging vectors is critical. The speed crisis facing traditional security operations means defenders need to adapt faster than ever — and the Poisoned Tenant campaign is a clear signal that the next wave of attacks will target the trust relationships we've built into our most widely adopted platforms.
The question isn't whether your organization will face an attack like this. It's whether your employees have been trained to notice when a legitimate-looking invitation doesn't quite add up.
