Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Poisoned Tenant OpenAI organization invite campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The Poisoned Tenant campaign is using fraudulent OpenAI organizations to lure targeted employees into shared ChatGPT workspaces, creating a risk of sensitive company data exposure. The fake invites arrived from [email protected] and passed authentication, making them look legitimate. Attackers also created tenants impersonating real companies and even attached a Visa credit card to improve credibility. The targets were mainly employees in cybersecurity and technology companies.

Related Happenings

OpenAI hit by cyberattack

Incident
H score38 First: 14.05.2026 22:07 Last: 14.05.2026 22:07 Sources 1

About this happening: OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
H score82 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

ConsentFix browser-native OAuth consent phishing campaign

Campaign
H score23 First: 14.01.2026 17:01 Last: 14.01.2026 17:01 Sources 1

About this happening: The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...

Open Happening

OpenAI API users customer data exposed after OpenAI breach

Data Leak
H score31 First: 27.11.2025 13:15 Last: 27.11.2025 13:15 Sources 1

About this happening: OpenAI warned that **API users** may have had limited account and analytics data exposed after **Mixpanel** suffered unauthorized access. The exposure matters because the exported...

Open Happening

Timeline

  1. 26.06.2026 20:49 2 articles · 2h ago

    Push Security reports fraudulent OpenAI organizations impersonating target companies

    Initial Disclosure

    Push Security reports that threat actors created OpenAI organizations impersonating legitimate companies, used Gmail-based accounts inside the tenant, and sent legitimate-looking invitations from [email protected] to employees’ work emails. The apparent goal was to lure targeted employees, including those in cybersecurity and technology companies, into ChatGPT workspaces where sensitive company information could be submitted in chats and projects.

    Show sources
    Open in new tab