Gone Phishing with Claude Teams: From Deceptive Team Onboarding to RCE A security researcher demonstrated that for a $125 investment and a valid business email address, an attacker can create a Claude Team and trick users into joining it, ultimately achieving remote code execution on victims' machines running Claude Code. The attack exploits Anthropic's legitimate team onboarding process, where the company itself sends the invitation emails and popups, making the target believe the request is from their own organization. The researcher found that 63% of Dow-30 member companies remain unprotected against this attack vector. Gone Phishing with Claude Teams: From Deceptive Team Onboarding to RCE šŸ•š tl;drWith a $125 investment, and a valid email address for an arbitrary ā€œbusiness domainā€, an attacker can create a Claude Team. They then can actively invite targets of any domain into that Team or passively have Anthropic ask all current and future Claude users of their own domain to join the Team. In both cases, Anthropic is communicating the invitation, not the attacker. After a victim decides to join the team and uses Claude Code, the attacker can run arbitrary code on the targetā€™s machine. The beauty: All the target ever sees are mails and popups from Anthropic, never from the attacker. The attack surface: 63% of Dow-30 members are not protected from this attack. šŸ«‚ While AI is cool and all, InfoSec is nothing without the community and having fun with real-life friends. So thanks go out to: Maik for pairing up on a late Sunday evening to get this started- Joe for letting me test cross-domain phishes and somewhat mess up your SSO settings Michael aka rootcat for proof reading this article and teaching me the way of the phish šŸ§‘āš–ļø I am not describing any vulnerabilities in this research. I am merely demonstrating, how an attacker could chain legitimate tools for malicious purposes. During this research, the domain anthropic-evaluation.com has been registered for demonstrative purposes. I am not affiliated with the companyAnthropicor its productClaude. I have never used the domain for malicious acts, nor will I ever use it for such. If you are Anthropic and reading this: I really like your tools. I mean no harm. If you want to get possession of the domain anthropic-evaluation.com , please reach out and we will arrange the transfer. The domain ownership is not set to be renewed, anyways. After all the preambles, letā€™s get to work. Your name is Peter Gibbons , you work for a company named Haussner Inc. . Your CTO is named Bill Lumbergh and is still not sure about this whole AI thing. Also, he does not want to pay for Anthropicā€™s Claude. You really want to get your hands on a license, but for now you are stuck with copy-pasting stuff in and out of Copilot - yes, chat only, and offline, because GDPR or something. Itā€™s a Thursday morning, and you get this mail. Looks like your boss is finally getting a move on Would you accept the invite? I probably would have a few days ago, after checking the sender and the contents: In the following post we are going to dissect how we can abuse Claude Teams to phish people into joining our attacker controlled Team with their company email address, with the goal to get RCE on the machines they run Claude Code on. We are also going to look at how we can protect ourselves from attacks like this. For this, we are going to go through the following five phases: Enumerating the target enumerating-the-target Ways of delivering the phish ways-of-delivering-the-phish Setup of our malicious Claude Team setup-of-our-malicious-claude-team Exploiting the phished accounts exploiting-the-phished-accounts Protecting your companies so it does not happen to you protecting-your-companies-so-it-does-not-happen-to-you Enumerating the target Letā€™s ease into it: Why I started researching this why-i-started-researching-this What are prerequisites for our attack to work? what-are-prerequisites-for-our-attack-to-work Enumerating if the chosen target company is susceptible to our attack enumerating-if-the-chosen-target-company-is-susceptible-to-our-attack Why I started researching this I work as a Red Teamer in a company that does not have an Enterprise agreement with Anthropic. A colleague of mine signed up for a personal account with his business email address anyways. He then saw something peculiar and told me about it thank you : after signup he was informed that others with the same domain have made an account, too. And he should think about if he maybe wanted to start a Team. So naturally, I registered too, and was greeted with this sorry for the German screenshot, here the English translation: ā€œ13 people from your domain are already using Claude.ā€ : While I understand this from the perspective of a company wanting to sell Team seats, I found it interesting that this information would be given away so openly. I started asking myself a question: What if I open a Team? Does that give me any cool powers? Reading the documentation tells me it does. Let the research begin. To start out, I decided to pretend to be an external attacker, create an attacker controlled domain and create a Claude Team connected to that domain. Then I would use my personal domain haussner.me as the target for phishing, trying to convince ā€œsomeone working there and having a haussner.me email addressā€ to join my attacker controlled Team. Letā€™s see how we could go about that. What are prerequisites for our attack to work? For our attack to work, we have two prerequisites: - The target user needs to be allowed to sign up and sign in to Claude using a magic link sent to their email address, and not only their company SSO. - The target user needs to be allowed to create a personal account for their company email address. The nice thing from the attackerā€™s point of view: both prerequisites are fulfilled by default, and the target organization has to actively disable both of them, even if they have set up SSO with Anthropic see official docs https://support.claude.com/en/articles/13132885-set-up-single-sign-on-sso Enumerating if the chosen target company is susceptible to our attack As an external attacker we can try figuring out if the target domain haussner.me has any affiliation Teams or Enterprise plan with Anthropic. Enumerating prerequisite 1: Can users sign up and sign in with a magic link? Figuring out if prerequisite 1 is met is straightforward via claude.ai in the browser or via the API - we just enter any email address ending with the target domain and observe the change in the UI or the response. For recon@haussner.me we do only see the option to ā€œ Continue with email ā€. This tells us, there is no SSO configured, so the prerequisite is met: If SSO were configured, a new button ā€œ Continue with SSO ā€ would appear. We see this when checking e.g. recon@microsoft.com : Seeing both the ā€œ Continue with email ā€ and ā€œ Continue with SSO ā€ buttons tell us: - Microsoft has set up SSO for its main domain. Thus, they already have an Team or Enterprise plan. - They have not fully hardened their settings, since their employees can also log in using their business email. Thus, prerequisite 1 is still met. To show an example of a company that is not susceptible to our attack, we look at Anthropic themselves: The ā€œ Continue with email ā€ button vanished and the ā€œ Continue with Google ā€ button is deactivated. This tells users with @anthropic.com email addresses can only log in using SSO. Prerequisite 1 is not met, so there is no way to onboard those employees into our attacker controlled Team, even if they wanted to. As mentioned, one can also use the following endpoint to get the settings programmatically, no crawling needed: "https://claude.ai/api/auth/login methods?source=claude-ai&email=recon%40$TARGET DOMAIN" Enumerating prerequisite 2: Can users sign up for the target domain, or is this blocked? ā€œSadlyā€, this cannot be enumerated from the outside. When trying this out on a hardened domain signups were blocked, like described later in the Remediation section Claim your domain s and block the creation of new accounts claim-your-domains-and-block-the-creation-of-new-accounts , we got as far as triggering the sign up process, receiving the sign up email, and using the sign up link, only to then be informed that sign ups are blocked. From an external point of view, we will not get that far. What we can enumerate however is the prerequisite for blocking of sign-ups: the Domain verification . If SSO is turned on enforced or not , the domain verification has been done successfully. This test is only needed if there is no SSO like in the case of haussner.me . We just pull the DNS TXT records and check. Here we see: haussner.me also does not have a domain verification: dig -t TXT +short haussner.me | grep anthropic If we look at microsoft.com , we see the verification: dig -t TXT +short microsoft.com | grep anthropic Our bottom line: - If there is no verification, prerequisite 2 is met. - If there is a verification, we cannot say. Deducting the status of the target domain | Domain not verified | Domain verified | | |---|---|---| | No SSO | šŸŸ¢ Attack possible | šŸŸ” Try your luck. But there are few reasons to verify a domain and not have SSO other than blocking sign ups. | | SSO enabled, but not enforced | ā­• Status does not exist | šŸŸ” Try your luck | | SSO enforced | šŸ”“ Attack not possible | šŸ”“ Attack not possible | One thing to remember: this covers only defenses using Anthropicā€™s hardening steps. As we can see there are other ways companies can protect themselves see Remediation section: If you do not have a Claude Team / Claude Enterprise if-you-do-not-have-a-claude-team--claude-enterprise , which would not show up in our reconnaissance here. āœ… The bottom line for us right now: we can attack employees at haussner.me . Detour: How many Dow-30 members are susceptible to the attack? Just to get aa rough idea of how vulnerably typical setups are out in the wild, I quickly listed the Dow-30 members https://www.cnbc.com/markets/dow-30/ , got their main domains and enumerated if they are attackable. Turns out 63% of them are not protected against this attack: The 2 companies that are ā€œmaybesā€ do have SSO enabled, but not enforced. Not for a single of the companies not having SSO in place I was able to retrieve a domain verification via DNS. This a a huge attack vector, given that are the major corporate players in the western hemisphereā€¦ Ways of delivering the phish ā„¹ļø I wanted to show this to you, fellow reader, so you understand our choices on how to set up the Team in the next main chapter. My personal timeline was the other way around, I set up the Team, learned and researched how to deliver the phish, cursed, redid a whole bunch of stuff, did it again, you know the game. I am going to spare you the trouble. I just mention this so you are not puzzled by the continuity error. Now that we know we can attack employees with an haussner.me email address, we briefly need to look at the ways we can deliver the phish. This will determine the exact settings we will use later when setting up the malicious Team. Anthropic offers four main ways of getting people to join a Team see the docs, they mention the first three ways here https://support.claude.com/en/articles/13566435-find-and-join-a-team-or-enterprise-organization : Letā€™s have a closer look at those ways and how we can customize them. The ā€œInvite linkā€ As the Team owner/admin, you can generate an invite link and send it however you want to the target email, Slack, Signal, you name it . For our case this is not super interesting, since we would need to set up infrastructure and build some sort of rapport with the target, since the communication would originate from us directly. This link works many times, until it is invalidated by the admin or hits its max age: šŸŸØ Probably not too interesting for us as attackers, since we need to bundle the link up in a ruse and custom infrastructure. The ā€œAdmin invitationā€ As the Team owner/admin, you can assign an invitation to a target directly in the admin console. This triggers Anthropic to send out an email with an invite link embedded. The crucial part: the email originates from @mail.anthropic.com and we as attackers do not need any infrastructure or clean history for that. To add the user peter.gibbons@haussner.me , you first need to whitelist the domain haussner.me you can do that without verifying you are associated with the domain, this is a security feature to protect your Team, not to protect the domain in question . The other domain in the screenshot partner.anthropic-evaluation.com is the one we bought for this blog post and used it to create the malicious Team, more on that later. Then you can add the user: And the email Peter receives looks like this, color coded the strings we can influence: Blue - the Team name - the Team name - can be freely influenced and changed later on - shows up three times Pink - the name of the admin inviting the target user - can be freely influenced and changed later on - if two or more admins exist, this always shows the name of the admin who clicked the invite button Yellow - the email of the admin inviting the user - is set when the admin signs up with Anthropic and cannot be changed however, you can invite an admin with a different address and if needed retire the first one - this email needs to exist and you need access, so you can receive the initial magic login link and for further logins, if needed - the domain part can be influenced by buying a domain - in our case itā€™s partner.anthropic-evaluation.com - the name part can be freely influenced, if you own the domain and the mailserver āœ… This in most cases will be our way in. Anthropic sends out our invite, and we get to customize quite a bit. We are going to look at details later, but whos says a name field can only contain a nameā€¦ ā€œOrganization discoveryā€ Organization discovery is a feature that is enabled by default for the domain that is being used to create the Team see the docs https://support.claude.com/en/articles/13566435-find-and-join-a-team-or-enterprise-organization : If this is active, Anthropic will prompt any user signing up with a domain like that that there is a Team, and nudge them to join it. In the example we register the account org.discovery@partner.anthropic-evaluation.com : As the owner of the Team, we can decide, if such users can sign up automatically, or if we want to review sign-up requests. In this case, we opted for the latter and the user sees: Now, we could allow the access: What I did not find in the docs, but could observe in real life most of the time this is more accurate anyways : if Organization discovery is on, users who signed up with this domain before the Team got created, get prompted within Anthropicā€™s tooling, e.g. in Claude Desktop , to join the team: We see something similar if we try to upgrade our personal plan: We can join without leaving the safe comfort of our Claude Desktop session - either by applying for a seat: Or, if the admin settings allow it, by just clicking ā€œJoinā€ and being redirected to the landing page: āœ… This is a really cool feature to abuse, since it is highly invasive - it even shows up for users who already are using the tooling on a personal plan aka power users willing to pay out of pocket . Also, it hits the targets directly in the trusted application environment, none of those pesky emails that try to trick you, just good old Claude being helpful. However, we need access to an email address of the target domain to pull it off. More on that later. Peer2Peer invites If the administrative settings of the Team allow it, regular users can invite their colleagues directly. In the example, Peter Gibbons our first phishing victim is going to invite his good buddy Milton Waddams : This lets the user even choose between the different whitelisted domains: This is being sent to the admin Bill Lumbergh again, this is us, the attacker for review: And if we acknowledge the invite, this is the email that finally gets sent to Milton Waddams - an invitation from his fellow colleague Peter Gibbons , mentioning the official haussner.me domain, coming from @mail.anthropic.com . It does not get more legit šŸ’Æ : āœ… Once one person fell for our phish, and in return invites others, this is not phishing or social engineering anymore, itā€™s an internal worm. From our point of view as the attacker, this is pure gold. Associated with cost per seat, of course, but since we can review all the internal invites, we can only approve the ones that look juicy after a quick look on LinkedInā€¦ Setup of our malicious Claude Team Now we know our target, and we know how we can deliver our phish and how we can customize it, we set up our Team: Keep in mind: the first way of sending the phish is most probably going to be the The ā€œAdmin invitationā€ the-admin-invitation . Choosing a domain for the attacker In the examples before, we used @partner.anthropic-evaluation.com as the email domain that should get shown in the invitation we have Anthropic send out for us. For this, the domain anthropic-evaluation.com got registered, and a mailserver tied to partner.anthropic-evaluation.com . This is straightforward, once you found the right domain. Keep in mind: there is no reason to look out for domain reputation, since we can fully hide behind Anthropicā€™s anthropic.com for sending mail. We needed to buy a domain, because we defined ourselves as an external attacker who wants to attack Haussner Inc. , has no access to a @haussner.me email inbox, and liked the ruse of ā€œEarly Access for Evaluationā€. Another attacker would need to think of another ruse and thus another domain. Easy. But keep in mind: the attacker might have access to an email address with the domain @haussner.me . This would allow them to use the ā€œOrganization discoveryā€ organization-discovery feature to deliver their phish. There are several reasons how an attacker might get that level of access: Insider Attack : the attacker is a disgruntled employee wants to get back at their company or a coworker. Not unheard of. Breach Data : the attacker just buys access to some corporate inbox and goes from there. This could be a very lowly privileged mailbox. However, having access to a mailbox for the target domain is enough to start the attack. ā€œTicket Trickā€ Misconfiguration : read the original research https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c by Inti De Ceukelaire https://be.linkedin.com/in/intidc , Founding Member at Intigriti https://www.intigriti.com/ , itā€™s worth it : the attacker just needs to receive emails for the domain, not even write them. This is not unheard of, think throwaway mailboxes etc. - use your imagination. However, there are some reasons why using an external address might be better than using an internal address: | External Address | Internal Address | | |---|---|---| Legit out of the box | šŸŸ” Depending on you ruse it can look ok, but itā€™s never going to be perfect. | šŸŸ” If you only have access to some.person.in.housekeeping@haussner.me , you need a good story to back up why they would invite people to join a Claude Team. | Fully customizable address | šŸŸ¢ Itā€™s your domain, your control. | šŸ”“ You have to live with the address you have access with, a change in the