Push Security disclosed a novel social engineering campaign on June 26, 2026, after its own employees received invitations to join a ChatGPT organization named 'Push Security Inc.' The account belonged to an attacker, not to Push Security. The invitations were indistinguishable from genuine corporate ChatGPT onboarding emails.
The technique exploits a gap between email authentication and organizational identity verification. Invitation emails from OpenAI's infrastructure can be sent on behalf of any registered tenant name, including one that impersonates your company. The invitation passes every technical authentication check and arrives from OpenAI's own servers.
How the attack works
The attacker creates an OpenAI account using a free-mail address, sets the organization display name to match the target company exactly, and attaches a credit card to the tenant to add an additional layer of legitimacy. They then invite real employees of the target company to join as Owners, giving those employees administrative privileges inside the fraudulent workspace.
The invitation emails originate from [email protected], the legitimate OpenAI notification address. They pass DKIM, SPF, and DMARC authentication checks. The email body and formatting are identical to a genuine OpenAI organization invitation. Nothing in the delivery chain signals that the email is malicious.
Why email authentication does not protect you here
DKIM, SPF, and DMARC verify that the email was sent by OpenAI's mail infrastructure on behalf of the [email protected] address. They do not verify whether the OpenAI organization named in the email is legitimate or whether the tenant owner is who they claim to be. An attacker who creates a fraudulent tenant can send authenticated invitations from OpenAI's own infrastructure. The authentication layer has been legitimately passed, not bypassed.
What the attacker is after
Once employees accept the invitation and begin using the fraudulent workspace as their company's ChatGPT environment, every message, document, code snippet, and data export they submit becomes visible to the attacker-controlled tenant owner. The objective is passive data collection. Wait for employees to submit what professionals typically send to their company's AI platform: customer data, internal documentation, source code, and credentials are all common.
Push Security notes that the invited employees in their case were all granted Owner privileges, meaning the attacker could also modify the workspace configuration, add further members, or export conversation history in bulk. The Visa credit card attached to the tenant removes billing as a verification signal.
Detection and response
Audit active ChatGPT organization memberships for your employees. In ChatGPT, users can see which organizations they belong to under Settings. Confirm that every organization name matches a tenant your IT or security team provisioned, and that the billing contact email belongs to a company domain rather than a Gmail or other free-mail address.
Train employees that any unsolicited invitation to join a ChatGPT organization should be verified with IT before acceptance, regardless of whether the invitation email looks legitimate. The organization name in the ChatGPT interface should match what your IT team communicated during provisioning. Invitations granting Owner privileges are especially worth scrutinizing since they imply the tenant does not already have a confirmed administrator.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are investigating AI SaaS identity risks or building detection for this class of attack.