Hackers Exploit OpenAI Org Invites to Harvest Sensitive Data

Cybercriminals are exploiting OpenAI’s organization invitation feature to execute ‘poisoned tenant’ attacks, enabling them to access sensitive prompts, API activity, and potentially corporate data from unsuspecting users.

In this scheme, attackers create a fraudulent OpenAI organization using the target company’s name and send invitations to employees. These emails originate from OpenAI’s legitimate notification system, passing authentication checks and closely resembling genuine collaboration invites. The only subtle indicator of fraud is a minor notice stating that the inviter’s domain does not match the recipient’s corporate domain, a detail easily overlooked.

Upon clicking the invitation link, the victim is immediately added to the attacker-controlled organization without additional authentication. This seamless process increases the likelihood of the victim engaging with the platform under the assumption of legitimacy.

To enhance credibility, attackers impersonate company executives and grant invited users full administrative privileges. They also add a credit card to the account to facilitate access to paid features, reducing suspicion.

The primary goal is long-term data harvesting. If an employee uses the compromised organization for work-related tasks, any prompts, uploaded data, or API usage become accessible to the attacker. This could include sensitive information such as source code, internal documents, security research, or customer data.

This tactic builds upon the ‘poisoned tenant’ concept, where attackers create fake SaaS environments to deceive users into joining. As AI platforms like ChatGPT become integral to enterprise productivity, the value of intercepted prompt data increases significantly.

Attackers may further escalate access by sharing malicious chats, injecting harmful prompts, or exploiting third-party integrations. This opens avenues for data exfiltration, OAuth abuse, or lateral movement across connected services such as email, cloud storage, and collaboration tools.

This campaign is part of a broader trend where threat actors weaponize trusted SaaS platforms as delivery channels for sophisticated social engineering attacks. Organizations must remain vigilant, scrutinize unexpected collaboration invites, and implement robust verification processes to mitigate such risks.