Cybersecurity firm Kaspersky has uncovered a new scam campaign in which attackers are abusing features of the OpenAI platform to distribute spam and fraudulent messages that appear to come from legitimate OpenAI email addresses.
According to Kaspersky, the tactic relies on exploiting OpenAI’s organisation creation and team invitation functions. By manipulating these features, scammers are able to send emails that look technically authentic, increasing the likelihood that recipients will trust them and fall victim to the scam.
How the Scam Works
The campaign begins when attackers register an account on the OpenAI platform. During the registration process, users are asked to create an organisation name. This field allows a wide range of characters, and scammers take advantage of this flexibility by inserting deceptive text, malicious links, or fraudulent phone numbers directly into the organisation name itself.
Once the fake organisation is created, the attackers use OpenAI’s “invite your team” feature. This allows them to enter the email addresses of their intended victims. The resulting invitations are then sent from OpenAI’s official email infrastructure, making the messages appear fully legitimate from a technical and security perspective.
Kaspersky analysts observed multiple variations of these emails. Some promote fraudulent offers, including adult services, while others are designed for vishing (voice phishing). In vishing cases, recipients receive false notifications claiming that a subscription has been renewed for a large sum of money. Victims are urged to call a phone number to cancel the charge—an action that can lead to further social engineering, financial loss, or account compromise.
Although the email template is clearly intended for inviting collaborators to a project, the malicious text embedded by attackers often appears in bold and is structurally inconsistent with the rest of the message. Scammers rely on the assumption that many recipients will not notice these inconsistencies and will focus instead on the apparent legitimacy of the sender.
A Broader Platform Abuse Risk
“This case highlights a vulnerability in how platform features can be weaponised for social engineering email attacks,” said Anna Lazaricheva, senior spam analyst at Kaspersky. “By embedding deceptive elements in seemingly innocuous fields like organisation names, scammers attempt to bypass traditional email filters and exploit user trust in reputable services. We urge all users to verify invitations carefully and avoid clicking embedded links without scrutiny. We also recommend that brands consider whether their online services or platforms could be abused by attackers.”
Kaspersky notes that similar abuse could potentially affect other online platforms that allow user-generated text to be embedded in automated system emails.
Kaspersky’s Security Recommendations
To reduce the risk of falling victim to these scams, Kaspersky advises users to:
• Treat unsolicited invitations from any platform with caution, even when they appear to come from trusted or well-known services.
• Carefully inspect URLs before clicking on any links in invitation or notification emails.
• Avoid calling phone numbers listed in suspicious emails. If support is needed, always look up contact details on the service’s official website.
• Report suspicious emails to the relevant platform provider and enable multi-factor authentication on all accounts.
For organisations, Kaspersky recommends Kaspersky Security for Mail Server, which uses multi-layered, machine-learning-powered defences to protect against evolving email threats. Individual users are advised to consider Kaspersky Premium, which includes AI-powered anti-phishing features designed to help detect and avoid scams while strengthening overall cybersecurity.
As attackers continue to find creative ways to misuse trusted platforms, vigilance from both service providers and users remains critical.
No comments:
Post a Comment