Hackers are using OpenAI's own invitation system to phish employees

Tech News

There’s a new phishing technique making the rounds, and this one is hard to spot because the emails come from OpenAI itself.

Security firm Push Security revealed Monday that hackers created a fake “Push Security Inc” organization on OpenAI’s platform and used the company’s own notification system to send invitation emails to Push Security employees. The emails arrive from [email protected] — a legitimate OpenAI address that passes standard email authentication checks.

The attack is clever in its simplicity. The hackers set up a fraudulent OpenAI organization with the name “Push Security Inc,” then invited real Push Security employees through the platform’s standard org invitation flow. Because the emails are sent by OpenAI’s infrastructure, they bypass most email security filters — it’s not a spoofed sender, it’s the real deal.

There is a tell, though. A line in the email notes that the invitation comes from a gmail.com domain rather than the recipient’s pushsecurity.com corporate domain. But it’s displayed as a single line of ordinary text, easy to gloss over during a busy workday.

What makes this particularly unsettling is what happens on the other side. Invited employees are granted Owner permissions by default — the highest level of access in an OpenAI organization. The hackers even pre-linked a Visa credit card to the account, removing any payment prompts or billing alerts that might tip someone off.

Push Security accepted one of the invitations to investigate. The researchers found that joining required nothing more than clicking the link in the email. No password re-entry. No multi-factor challenge. No secondary verification at all.

Once inside, the researchers saw that other invited employees were still in “pending acceptance” status — none had joined yet. There’s no evidence any data was compromised. Push Security sent a company-wide warning and set up email filtering rules to catch similar invitations going forward.

The attack wasn’t a spray-and-pray operation. It was targeted, preceded by reconnaissance specifically against Push Security. The hackers knew who they were after.

This is the kind of security blind spot that emerges when platforms become critical infrastructure faster than their security models mature. AI collaboration tools — shared organizations, projects, and workspaces — introduce a whole new attack surface. Traditional phishing training teaches employees to watch for fake login pages and suspicious attachments. It doesn’t prepare them for a legitimate invitation from a legitimate platform that happens to be controlled by an attacker.

Push Security warns that as AI services become routine workplace tools, this style of social engineering will become more common. Companies need to build verification processes for AI platform invitations, just as they do for VPN access and admin credentials.