Hackers Abuse OpenAI Org Invites to Harvest Sensitive Prompts and API Activity
Hackers are actively abusing OpenAI’s organization invitation feature to launch a new form of “poisoned tenant” attack, allowing them to harvest sensitive prompts, API activity, and potentially corporate data from unsuspecting users.
According to research disclosed by Push Security, attackers created a fake OpenAI organization using the company’s name, “Push Security Inc,” and sent targeted invitations to employees.
These emails were not spoofed or malicious in the traditional sense. They originated from OpenAI’s legitimate notification system ([email protected]), passed authentication checks, and appeared identical to genuine collaboration invites.
The only warning sign was a small notice indicating that the inviter’s domain did not match the recipient’s corporate domain.

However, this detail can be easily overlooked, especially when the email otherwise looks fully legitimate and references real company information.
Hackers Abuse OpenAI Org Invites
Once a recipient clicks the invitation link, the attack becomes particularly dangerous. Researchers found that joining the organization required just a single click, with no additional authentication or verification step.
Even from a fresh browser session with no prior login, the account was instantly linked to the attacker-controlled tenant.
According to Push Security, attackers made the fake organization appear legitimate by impersonating a company executive and granting all invited users Owner privileges with full administrative access.
A credit card had also been added to the account, likely to remove friction and avoid raising suspicion if users attempted to access paid features.

The real objective of the attack is not immediate credential theft, but long-term data harvesting. If an employee assumes the organization is legitimate and begins using it for work, any prompts, uploaded data, or API usage could be visible to the attacker.
This may include source code, internal documents, security research, or customer information. This technique builds on the “poisoned tenant” concept first described in 2023, where attackers create fake SaaS environments to trick users into joining.
In this case, the attack leverages the growing role of AI platforms as enterprise productivity hubs. As employees increasingly rely on tools like ChatGPT for daily workflows, the value of captured prompt data becomes significantly higher.
Push Security researchers warn attackers could escalate access by sharing malicious chats, injecting harmful prompts, or abusing third-party integrations.
This creates opportunities for data exfiltration, OAuth abuse, or lateral movement across connected services such as email, cloud storage, and collaboration tools.
The campaign is part of a broader trend where threat actors weaponize trusted SaaS platforms as delivery channels.
Recent reports from Kaspersky and Cisco Talos highlight similar abuse across OpenAI, GitHub, and Jira, where attackers embed malicious content into platform-generated notifications.

Because these messages come from legitimate domains, they bypass many traditional security controls. Defending against this technique is challenging because there are no obvious indicators, such as malicious links or spoofed domains.
The infrastructure used is entirely legitimate. Instead, organizations must focus on visibility into SaaS usage, monitoring which external tenants’ employees join, and educating users that even authentic platform emails can carry security risks.
This incident highlights a growing security gap in modern enterprises. As SaaS and AI platforms continue to expand, their built-in collaboration features are becoming a powerful attack surface.
Without stronger controls, such as domain verification enforcement or restricted organization joining, attackers will continue to exploit these trusted systems to collect sensitive data silently.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Hackers Abuse OpenAI Org Invites to Harvest Sensitive Prompts and API Activity appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news