Attackers abuse OpenAI team invitations to target businesses

Security researchers say criminals are using a legitimate collaboration feature to deliver phishing and vishing scams.

What happened

Researchers have reported that attackers are exploiting OpenAI’s “invite your team” feature to send phishing emails from legitimate OpenAI addresses. According to TechRadar, the attackers create accounts and insert deceptive links or phone numbers into the organization name field, which then appear in authentic-looking invitation emails. Because the messages are delivered via OpenAI’s infrastructure, they can bypass basic email filters and reach multiple employees simultaneously.

Going deeper

The campaign exploits trust in familiar platforms instead of relying on traditional malware attachments. Attackers create organizations with misleading names that conceal malicious links or phone numbers, then send invitations to employees within the same company. Some emails falsely claim a costly subscription renewal, while others promote urgent offers designed to trigger a response. Researchers found that these messages are often followed by phone calls in which scammers pressure recipients to share account details or approve fraudulent transactions. Businesses face increased risk because a single invitation can reach multiple employees at once, increasing the likelihood that someone will engage.

What was said

Security researchers said the campaign demonstrates how legitimate platform features can be misused for social engineering rather than exploiting technical flaws. Anna Lazaricheva, a senior spam analyst involved in the research, said the case “highlights a vulnerability in how platform features can be weaponized for social engineering email attacks,” explaining that attackers embed deceptive content in seemingly harmless fields such as organization names to bypass traditional email filters and take advantage of user trust in reputable services. She urged users to carefully verify invitations and avoid clicking embedded links or calling listed phone numbers without scrutiny, adding that organizations should review their own platform features for similar abuse, as attackers often target trusted services that are less likely to be blocked outright.

In the know

According to a Paubox report, OpenAI disclosed that one of its third-party vendors, Mixpanel, experienced unauthorized access within its own systems. In a public notice issued November 28, OpenAI said an attacker exported a limited dataset linked to OpenAI API customers, referring to organizations that use OpenAI’s application programming interface to integrate its services into their own software. OpenAI removed Mixpanel from its production environment and began an internal review, stating that its own systems were not compromised and that no chat content, API keys, passwords, credentials, or payment data were exposed. The accessed data included customer names, email addresses, approximate location information, and device and browser details. Although limited in scope, OpenAI warned that such metadata, meaning background technical and account information, could still be used to craft highly targeted phishing emails directed at developers and administrators.

The big picture

A Reuters investigation found that AI-driven scams are not often run by isolated individuals but by organized criminal groups, particularly in Southeast Asia, where AI tools are used daily inside scam compounds. People forced to work in these operations described tools like ChatGPT as routine for translating messages, adopting different personas, and answering victims’ questions convincingly. Threat intelligence teams say this matches what they are seeing, with Jacob Klein of Anthropic telling Reuters, “We see people who are using Claude to make their messaging be more believable,” and adding that scams now follow “an entire attack cycle of conducting fraud or a scam,” with AI used at each stage. The misuse of legitimate AI platforms and features, including team invitation tools, shows how attackers are relying on trusted systems and familiar workflows to scale fraud and increase the chances that messages are opened and acted on.

FAQs

Why do attackers prefer legitimate invitation features?

Messages sent through trusted platforms are more likely to be delivered and less likely to raise suspicion among recipients.

How does embedding links in organization names work?

The organization name field is displayed inside the invitation email, allowing attackers to hide links or contact details where users may not expect them.

Why are businesses more exposed than individuals?

Attackers can send invitations to many employees at once, increasing the chance that someone will interact with the message.

What should users do if they receive an unexpected invitation?

They should verify the sender through a known channel, avoid clicking embedded links, and report the message to their security team or the platform provider.

Are technical controls enough to stop this type of attack?

No. Technical controls help, but employee awareness and clear processes for verifying invitations are also necessary to reduce risk.