Security Research Reveals Critical Phishing Vulnerability in Anthropic's Claude Teams
Key Takeaways
- ▸Claude Teams can be exploited for phishing attacks with minimal investment, allowing attackers to send invitations that appear to come from Anthropic itself
- ▸Users who join malicious Claude Teams and enable Claude Code can be compromised with remote code execution capabilities on their machines
- ▸63% of Dow-30 companies are currently vulnerable to this attack, highlighting the scale of potential exposure among Fortune 500 enterprises
Summary
A new security research article demonstrates a sophisticated attack chain that exploits Anthropic's Claude Teams to conduct phishing campaigns with minimal cost ($125) and significant impact. The attack leverages Anthropic's own invitation infrastructure to socially engineer users into joining attacker-controlled teams, making the malicious invitations appear to come from Anthropic itself rather than the attacker. Once users join the team and utilize Claude Code, attackers can execute arbitrary code on the victim's machine without the user ever seeing direct communication from the attacker.
The researcher, who works as a red team security professional, discovered that the vulnerability stems from how Claude Teams openly share domain information and allow team creation without robust verification. The attack chain includes three key phases: enumerating target companies, delivering phishing invitations through Anthropic's official channels, and exploiting users who enable Claude Code to achieve remote code execution. The research identifies that 63% of Dow-30 companies currently lack protections against this attack vector, indicating widespread vulnerability among major enterprises.
The researcher emphasizes this is not a zero-day or undisclosed vulnerability, but rather a demonstration of how legitimate features can be chained together maliciously. The analysis includes detailed breakdowns of attack prerequisites, enumeration techniques, phishing delivery methods, and exploitation strategies, along with recommendations for how organizations can protect themselves. Notably, the researcher registered a test domain (anthropic-evaluation.com) purely for research purposes and has explicitly stated it was never used for malicious activities.
- The vulnerability stems from Anthropic's domain-based team creation and invitation model, which lacks robust verification of team legitimacy
Editorial Opinion
This research exposes a fundamental tension in Claude Teams' design between user convenience and security. While allowing teams to auto-invite users from the same domain streamlines legitimate onboarding, the vulnerability demonstrates how Anthropic's trust model—where users inherently trust official-looking company communications—can be weaponized by determined attackers. Organizations should immediately audit team memberships and consider restricting Claude Code access until Anthropic implements stronger domain verification, team approval workflows, or sandboxing for code execution. This research is a timely reminder that even well-intentioned AI platform features require adversarial security review before deployment.
