Fake OpenAI Invites Lure Security Staff into ChatGPT Trap

Attackers are building fake ChatGPT workspaces that look like a target’s own company, then using real OpenAI invitation emails to make employees walk sensitive data into the trap. The campaign around fraudulent OpenAI organization invites was reported by BleepingComputer, after Push Security found attackers creating OpenAI tenants that impersonated legitimate firms.

The sharp point is not that someone spoofed an email. Push Security says the invite came from OpenAI’s legitimate notification address, [email protected], passed email authentication checks, and looked like a normal invitation to join an organization’s ChatGPT workspace. That makes the tactic more dangerous than a sloppy phishing lure.

Fake OpenAI workspaces turn ChatGPT collaboration into a phishing trap

The reported campaign targets a soft spot in AI adoption: trust in collaboration flows. Employees are trained to doubt strange links and attachments. They’re less conditioned to question a legitimate platform invitation that appears to add them to a company workspace.

Push Security discovered the activity after multiple employees received invitations to join an OpenAI organization named “Push Security Inc.” The tenant was not created by Push Security. It was attacker-controlled and built using Gmail addresses, according to the report.

BleepingComputer says Push Security was told other customers had received similar invitations, and that all were in the cybersecurity or technology space. That targeting matters. The source does not prove any data was stolen, but it shows attackers are probing firms whose staff may handle source code, internal documents, customer data, security research, and strategic plans.

XOOMAR analysis: this is phishing without the usual demand for credentials. The attacker’s bet is cleaner. Create a believable AI workspace, get the employee inside, then wait for the employee to submit the sensitive material voluntarily.

How fraudulent OpenAI organization invites can extract sensitive company data

The attack chain is simple enough to scale, if platform controls allow it.

Push Security tested the lure directly. Luke Jennings, VP, Research & Development at Push Security, accepted one invitation. He was added to the fraudulent organization, which contained a single attacker-controlled Gmail account posing as Adam Bateman, Push Security’s CEO.

The invited employees had been assigned Owner privileges. That gave them administrative access to the tenant, including the ability to view pending invitations. Push Security confirmed that none of the targeted employees had joined the fake organization.

A Visa credit card had also been attached to the billing account. Push Security interpreted that as a way to reduce suspicion and make premium features available without prompting the invited users to question the setup.

"An attacker who just wants to spray scam content through a trusted email channel doesn't name the organization after their target, research individual employees, or attach a credit card,"

That line from Push Security captures the intent. This looks less like spam and more like preparation for data collection.

The numbers that matter are inside the workflow

There are no public victim counts in the source. There is no confirmed data theft figure. The known data points are narrower, but still useful.

June 26, 2026: BleepingComputer published the report.
Multiple employees: Push Security staff received the fraudulent invites.
One fake tenant: The investigated workspace impersonated Push Security Inc.
Owner privileges: Invited employees were given admin-level access.
One attacker-controlled Gmail account: That account posed as the company CEO.
One payment method: A Visa card was attached to the tenant.
Zero confirmed joins by targeted Push employees: Push Security checked pending invitations and found none had accepted.

The measurement gap is the real issue. Security teams can count blocked emails. They can review identity events. But a legitimate SaaS invitation from a trusted provider sits in a blurrier zone. It may not look like malware, credential theft, or account takeover.

For readers tracking related social-engineering patterns, XOOMAR’s coverage of Fake Receipts Hijack Shop App in Callback Phishing Trap is a useful adjacent read. The OpenAI case has a different mechanism, but the shared lesson is blunt: ordinary business workflows can become delivery channels for fraud.

Cybersecurity firms face the irony of attackers targeting their AI habits

The source says the known targets were in cybersecurity or technology. That is enough to make the targeting notable, without overstating what attackers obtained.

Security firms are attractive because the material they may place into AI tools can be unusually rich. Push Security itself listed examples: source code, internal documents, customer data, security research, and strategic plans. None of that needs to be stolen from a database if an employee pastes it into the wrong workspace.

The reputational risk is also different from a conventional breach. If a company’s internal systems are not compromised, but employees are tricked into entering sensitive material into an attacker-controlled AI tenant, clients may still ask the same question: how did the firm lose control of its information flow?

XOOMAR analysis: AI workspaces now sit close to the center of knowledge work. That makes organization naming, tenant ownership, billing signals, admin roles, and invite provenance part of the security perimeter. Treating ChatGPT access as a casual productivity add-on leaves too much room for impersonation.

Employees, CISOs, OpenAI, and attackers read the same invite differently

An employee may see convenience. The invite arrives from OpenAI, names the employer, and asks them to join a workspace. If they are busy, that may feel routine.

A CISO sees an identity and data governance problem. Who is allowed to create a company-named AI tenant? Which domain controls prove ownership? Can admins see where employees have joined? Are retention, logging, and project settings known?

OpenAI has a platform-design problem to solve. The source says the invite did include a warning that the inviter’s email domain did not match the recipient’s company domain, but that warning appeared as a single line inside an otherwise legitimate invitation email. The question is whether that is strong enough for a high-trust enterprise tool.

Attackers see low friction. No exploit chain is needed if the target types the sensitive context directly into the attacker’s workspace.

For broader OpenAI coverage, see XOOMAR’s OpenAI Jalapeño Chip Attacks the AI Inference Bill. The security issue here is separate, but both stories sit around the same operational reality: AI infrastructure is becoming business infrastructure.

From fake SaaS portals to fake AI tenants, the interface changed

Push Security says the campaign reflects a broader pattern of attackers abusing legitimate invitation and notification features in SaaS platforms. That matters because these messages originate from the platform’s own systems. They are not necessarily forged emails.

The continuity is obvious: attackers exploit trusted brands and routine business actions. The difference with AI workspaces is the payload. The prize is not only account access. It can be the context inside prompts, chats, projects, and uploaded files.

That makes fraudulent OpenAI organization invites especially uncomfortable. The victim may not feel compromised. They may feel productive.

Companies using ChatGPT at work need named owners and clear rules

The prescription is not complicated, but it has to be explicit.

Workspace ownership: Publish the official company OpenAI organization name and the internal owner responsible for it.
Invite verification: Train employees to verify unexpected AI workspace invitations through an approved internal channel.
Domain controls: Use enterprise-managed accounts and domain-based controls where available.
Data rules: Tell staff what can and cannot be pasted into AI tools. Keep it short enough to remember.
Monitoring: Review SaaS organization memberships and watch for employees joining suspicious tenants.
Reporting path: Give employees a fast way to report questionable AI invites without turning it into a bureaucratic ticket maze.

BleepingComputer contacted OpenAI to ask whether it had received more reports, what protections organizations can use, and whether additional safeguards are planned. The source says the article would be updated if OpenAI responded.

Where fake OpenAI organization invites could go next

The source does not prove this campaign has spread beyond cybersecurity and technology firms. It does show a repeatable technique: create a lookalike AI tenant, use legitimate OpenAI email infrastructure, assign convincing roles, and reduce warning signs with billing and naming details.

The evidence that would confirm the thesis is straightforward: more reports of lookalike AI tenants, especially across other departments or industries, plus cases where employees actually submitted sensitive content. Evidence that would weaken it would be stronger platform-level blocking, clearer domain verification, or enterprise visibility that makes fake tenants easier to spot before employees join.

Until then, companies should treat fraudulent OpenAI organization invites as a data-loss risk, not just an email nuisance. The attacker does not need to break into the workspace if the victim can be persuaded to bring the secrets in.

Impact Analysis

• Attackers are exploiting trusted AI collaboration workflows instead of relying on obvious spoofed emails.
• Cybersecurity and technology firms are being targeted, raising concern over exposure of sensitive research, code, and customer data.
• The campaign shows employees need to verify workspace invitations even when they come from legitimate platform email addresses.