The threat landscape for enterprise AI platforms has expanded with a new adversarial technique known as the poisoned tenant attack. In this event, an attacker registers an OpenAI organization using the victim’s company name and invites selected employees to join it. The invitation appears legitimate, passes all email authentication checks, and includes no overt phishing indicators. Once accepted, the attacker gains full administrative control over the newly created tenant.

Background: Push Security was targeted in late June 2026 when several team members received multiple organizational invitations from OpenAI for an organization titled “Push Security Inc.” The emails originated from [email protected] and referenced the company’s domain, creating a high level of plausibility. The attacker’s invitation email also displayed a warning that the inviter’s domain (gmail.com) did not match the recipient’s domain; however, this single line was easily overlooked.

Attack vector details:

• The attacker created a new OpenAI organization with the victim’s company name.
• A Visa credit card—likely stolen—was attached to the billing account, pre‑authorizing usage and removing cost friction for employees.
• Targeted invitations were sent to specific employee email addresses, indicating reconnaissance on the victim’s roster.
• Invited users received “Owner” role permissions, granting them full administrative access to the organization.

Once an employee accepted the invitation—merely by clicking a link—their existing OpenAI account was automatically added as an owner of the attacker‑controlled tenant. No credentials or secondary authentication were required because the action took place in a separate browser session that was not logged into ChatGPT at the time.

Detection and response:

• The security team identified the anomalous organization immediately through internal alerts and visual inspection of the OpenAI dashboard.
• All pending invites were reviewed; none had been accepted, limiting exposure.
• Email filtering rules were updated to block future invitations from unknown domains that reference the company name.

Payoff for the attacker:

• By creating a pre‑funded organization with full administrative rights, the attacker can harvest sensitive data entered into prompts and API calls without triggering billing alerts.
• The attacker may use the tenant as a foothold for further social engineering, such as requesting SSO integration or third‑party OAuth consent, potentially enabling credential theft or lateral movement.

Relation to earlier techniques:

• Previous research on SAMLjacking showed how an adversary could register a SaaS tenant under the target’s name and leverage it for credential harvesting. While OpenAI requires domain verification for SAML, other paths—like malicious project sharing (LLMShare) or phishing via shared prompts—remain viable.
• Similar abuse patterns have been documented across GitHub, Jira, and other SaaS platforms where invitation emails are sent through the platform’s own mail infrastructure.

Broader trend:

• The proliferation of AI‑centric SaaS tools has created a vast attack surface. Any platform that allows arbitrary organization names and email invitations becomes a potential vector for poisoned tenant attacks.
• Attackers can embed malicious content directly into organization names or invitation messages, making detection through traditional spam filters ineffective.

Defensive recommendations:

• Visibility into SaaS memberships: Deploy tools that provide real‑time insight into new organizations created on SaaS platforms and the users added to them.
• Employee training focused on invitation scrutiny: Educate staff that a technically authentic email can still be malicious if it invites them to join an unfamiliar organization.
• Domain registration or ownership claims: Where possible, register your company’s name on the target platform to prevent impersonation.
• Vendor controls: Encourage platforms to require domain verification before permitting a tenant to use a business name and to display prominent warnings for cross‑domain invitations.

Indicators of compromise (IoC):

• Email addresses: [email protected], [email protected], [email protected]
• Any OpenAI organization invitations referencing the victim’s company name without prior internal approval.

Conclusion:

The poisoned tenant attack demonstrates how legitimate platform features can be weaponized to create a trusted foothold within an enterprise. By maintaining visibility over SaaS memberships, training employees on invitation verification, and working with vendors to tighten controls, organizations can mitigate the risk of this emerging threat vector.