Black Arrow Cyber Advisory 30 June 2026: Attackers Abuse Trusted Platform Invitations to Impersonate Organisations

Organisations should be alert to a developing tactic in which attackers create fake workspaces on trusted software platforms and invite employees to join them using legitimate platform emails. Although this activity has recently been seen targeting cyber security and technology firms, the approach could quickly be adapted for other sectors, particularly where staff use artificial intelligence tools, collaboration platforms, cloud services or shared project spaces.

In a reported campaign, attackers created an OpenAI organisation that impersonated a legitimate company, then invited selected employees using their work email addresses. The invitations were sent from OpenAI’s genuine notification system, passed normal email authentication checks and looked like standard invitations to join a company workspace. This makes the approach more difficult to detect than traditional phishing, where attackers often rely on spoofed emails, suspicious links or lookalike domains.

The risk is not simply that an employee joins the wrong workspace. The concern is what happens next. If staff believe they are using an approved company environment, they may submit sensitive information into chats, prompts or project spaces. This could include internal documents, client information, source code, security research, strategy papers, commercial plans or other confidential material. In this case, the fake workspace had been made to look more credible by using the target company’s name, targeting specific employees, assigning them senior access rights and attaching a payment card to the billing account.

This reflects a wider shift in attacker behaviour. Rather than only sending malicious files or links, attackers are increasingly abusing legitimate features inside widely used online services. Invitations, notifications and shared workspace requests can come from real platforms and therefore may bypass technical email controls. The trust employees place in familiar brands and normal business workflows is being exploited.

What firms should do

Organisations should remind employees that a genuine email from a trusted platform does not always mean the workspace, project or invitation is legitimate. Staff should be told to verify any unexpected invitation to join a company workspace, especially where the request relates to artificial intelligence, file sharing, collaboration tools or administrative access.

Security and IT teams should review the technical solutions available to them to help manage this risk, for example SSPM platforms as well as how official company workspaces are named, managed and communicated to staff. Where possible, organisations should maintain an approved list of authorised platforms and tenants, and make it easy for employees to check whether an invitation is genuine. Unexpected invitations should be reported through existing security channels before being accepted.

Firms should also monitor membership and administration activity across software as a service platforms. This includes checking for unusual organisation invitations, unexpected owner or administrator permissions, and employees joining external workspaces that impersonate the business. Where platforms support domain verification, single sign on or tenant restrictions, these controls should be enabled.

For senior leaders, this is a reminder that cyber risk now extends beyond email and endpoint security. Attackers are targeting the everyday tools employees use to work, collaborate and experiment with artificial intelligence. Clear ownership of approved platforms, simple verification processes and staff awareness can significantly reduce the chance of sensitive company information being handed to an attacker through a trusted service.