Threat actors are creating OpenAI employers who pose as legitimate companies and invite employees to join them, in what appears to be a trick to trick targets into sending sensitive company information to conversations and projects.
Push Security has discovered what it calls a “Toxic Employer” after several employees received invitations to join an OpenAI organization called “Push Security Inc.” Although the invitation was legitimate, coming directly from OpenAI, the ChatGPT tenant was created by an attacker using Gmail addresses and not the company.
Invitation emails sent from OpenAI’s official notification address, noreply@tm.openai.com, passed email authentication checks, and resembled a regular invitation to join the ChatGPT organization’s workplace.
Source: Push Security
Push Security told BleepingComputer that other customers have also received similar invitations and that they are all in the cybersecurity or technology field.
OpenAI organizations controlled by attackers
According to Push Security, these invitations were addressed to certain employees using their work email addresses, suggesting that the attackers had researched the company’s employees before launching the campaign.
Although OpenAI includes a warning stating that the inviter’s email domain does not match the recipient’s company domain, the notification appears as a single line within the official invitation email.
To better understand the purpose of the attack, Luke Jennings, VP, Research and Development at Push Security, accepted one of the invitations.
After accepting, the researcher was immediately added to a fake organization, posing as Push Security and containing one account controlled by the attacker with a Gmail address sent as the CEO of the company, Adam Bateman.
Invited employees were all granted owner rights within the organization, giving them more administrative permissions than the employer.
Since they had administrative access, they could view other pending invitations and ensure that none of the target employees had joined the fake ChatGPT organization. They also discovered that a Visa credit card was already attached to the organization’s payment account, which added more legitimacy.
Source: Push Security
Push Security told BleepingComputer that the project was empty and there were no existing discussions or projects, making it unclear what the intent of the attack was.
Push Security believes the attackers’ goal is to convince employees to use the ChatGPT workstation as if it were a legitimate business platform, which would then allow the attackers to collect any sensitive information sent.
“An attacker who just wants to spray scam content through a trusted email channel doesn’t name an organization, research each employee, or attach a credit card,” Push wrote.
“That investment only pays off when employees actually join the organization and start using it. And in the AI environment, the data that people put into information can be extraordinarily sensitive — source code, internal documents, customer data, security research, strategic plans.”
The company also believes that attaching a payment method removes another potential warning sign, allowing invited users to use premium features without questioning whether the organization is legitimate.
Push Security says the campaign reflects a broader trend of attackers abusing the legitimate invitation and notification features built into SaaS platforms.
Unlike traditional phishing campaigns, these invitations originate from the platform’s infrastructure, and because they are legitimate, they are likely to bypass email security controls.
To reduce the risk of these types of attacks, Push recommends training employees to verify unexpected organization invitations and monitor SaaS organization membership.
BleepingComputer contacted OpenAI to ask if it has received additional reports of similar campaigns, what defenses organizations can use against these attacks, and whether it plans to introduce additional defenses to prevent attackers from creating organizations masquerading as legitimate companies. We will update this article when we receive feedback.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
