Security company Push Security recently issued an emergency security alert, exposing a new type of phishing attack targeting corporate employees. Hackers maliciously abused OpenAI's organizational invitation mechanism, successfully bypassing traditional email security protections, attempting to lure employees into a fake AI work environment under their control.

"Legitimate" Trap Bypassing Verification

In this meticulously planned social engineering attack, hackers first created an OpenAI organization with the same name as the target company on the platform. They then sent invitation emails to specific employees using the official notification email address of OpenAI. Since the emails originated from the official source and passed standard identity verification, they were highly deceptive.

More misleadingly, the hackers even pre-linked a valid Visa credit card to the organization account and automatically enabled the highest-level administrator permissions for the invited employees. This unusual "generous" action perfectly eliminated any potential payment barriers or system anomaly alerts that employees might encounter when joining.

Process Vulnerabilities Expose Security Blind Spots

When security researchers tested the joining process, they found that the entire acceptance process had almost no additional secondary identity verification. Users just needed to click the link in the email to directly enter the organization, without needing to reconfirm their account password. As a result, the existing security defenses of the enterprise were easily breached.

As AI tools are fully integrated into daily office work, this kind of social engineering model based on platform collaboration mechanisms and shared notifications is becoming increasingly severe. Experts warn that enterprises need to expand their defense focus from traditional email phishing to security reviews of AI platform collaboration mechanisms.