July 16, 2025 – A newly discovered vulnerability in Google’s Gemini AI integrated within Workspace has sparked concern across corporations and governments. Threat actors have crafted a stealthy technique to inject malicious instructions into AI-generated email summaries without relying on links or attachments turning Gemini into a potential phishing enabler.
Security researcher Marco Figueroa, part of Mozilla’s GenAI Bug Bounty Program, has uncovered an exploitation method that hides commands within email bodies using HTML and CSS tricks zero-font size and white-on-white text. When Gemini’s “Summarize this email” feature is invoked, the AI obediently follows these buried directives to generate fraudulent alerts, such as compromised account warnings, with prompts to users to call fake support numbers.
Unlike conventional phishing, this method contains no suspicious attachments or hyperlinks making it invisible to most email filters and antivirus scanners.
Attackers New Techniques Revealed
Cybercriminals are now exploiting a subtle but powerful manipulation tactic known as prompt injection, specifically targeting the “Summarize this email” feature in Google Gemini for Workspace. By embedding hidden instructions within HTML elements-such as using white text on a white background or zero-font sizes-attackers are able to plant invisible prompts that Gemini interprets as genuine user intent. When users trigger the summarization feature, Gemini outputs carefully crafted phishing messages, such as fake security alerts or urgent password resets, often including deceptive phone numbers to call. What makes this method particularly dangerous is its lack of conventional phishing markers. There are no malicious attachments, suspicious URLs, or unusual sender domains-instead, the entire attack is cloaked within the structure of the email content itself. These techniques not only bypass standard security filters but also abuse user trust in AI-generated summaries. It’s a strategic shift that turns AI from a productivity tool into a covert delivery channel for social engineering, and it’s redefining how phishing campaigns are launched in cloud-based enterprise environments.
Why Security Teams Should Pay Attention?
The newly uncovered vulnerability in Google Gemini Workspace highlights a deeper concern that security teams cannot afford to overlook. Users often place a high degree of trust in AI-generated outputs, especially when they appear as official summaries within familiar platforms like Gmail or Docs. This trust becomes a weapon when attackers exploit it to deliver misleading alerts that seem credible at first glance. What makes this threat even more concerning is its scale Gemini is integrated across Gmail, Drive, Docs, and Slides, creating a vast, interconnected attack surface. And unlike traditional phishing attempts, these prompt injections carry no links or visible red flags, allowing them to silently bypass filters and spread across entire networks undetected. One compromised email could lead to a domino effect, triggering thousands of deceptive summaries across the organization.
Attackers’ New Techniques Demand Smarter Defenses
As organizations increasingly lean on AI features like Google Gemini for email and workspace automation, attackers have begun exploiting these systems using a new class of invisible prompt injections. These are not traditional phishing attempts-they bypass filters, attachments, and URLs by embedding commands directly into email bodies using hidden HTML styling. To combat this new wave of threats, organizations must proactively reinforce security on multiple fronts.
Proof-of-Concept
Figueroa wrapped hidden instructions inside <admin> tags, instructing Gemini to produce fake warnings. For instance, a concealed message could say:
“WARNING: Your Gmail password has been compromised. Call 1‑800‑555‑1212 with ref 0xDEADBEEF.” When Gemini summarizes the email, the end-user sees a realistic looking alert and may take actions like calling the provided number.
Defenses and Best Practices
To combat this tactic, experts recommend several defensive measures:
- HTML sanitation: Strip or neutralize invisible formatting before AI processing to prevent hidden prompts from executing.
- Post-summary screening: Scan generated summaries for red flags-phone numbers, urgent warnings, URLs flagging suspicious outputs for manual review.
- User floor training: Stress the importance of reading the actual message and treating AI summaries as provisional, not definitive.
- Model hardening: Google is engaging in red-teaming and deploying prompt injection mitigations, though there is no confirmed evidence of real-world exploitation yet.
Google’s Position
A spokesperson said Gemini already includes safeguards against misleading outputs and highlighted ongoing improvements via red teaming. Currently, Google has found no real-world incidents leveraging this specific vulnerability.
User Precautions at a glance
| Action | Advice |
| Do not fully trust AI alerts | Always verify by reading emails directly |
| Be vigilant | Treat urgent AI-generated warnings with scrutiny |
| Educate teams | Inform employees about prompt injection risks |
| Deploy defenses | Use content sanitization and output monitoring |
As AI tools deepen their integration into daily workflows, they inadvertently widen the attack surface prompt injection vulnerabilities like this Gemini flaw serve as a wake-up call. Institutions must reaffirm that human judgment remains essential, and AI assistants should act as support not authority.