A newly reported vulnerability in Google’s Gemini AI reveals how threat actors can weaponize email summaries to execute phishing attacks without links, scripts, or attachments. The flaw exploits user trust in AI-generated content and the way large language models (LLMs) interpret hidden prompts.
The Vulnerability Explained
Marco Figueroa, head of Mozilla’s bug bounty program for generative AI, disclosed the issue within the 0din initiative. The vulnerability lies in Gemini for Workspace, where a malicious actor can embed invisible instructions within an email body. These instructions are unreadable to the human eye, typically hidden via white-on-white text or HTML tricks, but fully parsed by Gemini when the user requests a summary.
When a user clicks “Summarize this email” in Gmail, Gemini incorporates the hidden instruction into its output. For instance, it may generate a fake security alert claiming that the user’s Gmail password has been compromised, displaying a phone number and a reference code for “support.” This message appears as though it originates from Google, increasing its credibility.
Why This Attack Works So Well
The success of this technique, known as indirect or cross-domain prompt injection, stems from how Gemini interprets input. Most LLM safety filters only inspect visible text. Hidden elements using HTML, such as small fonts or off-screen placement, bypass those checks. Moreover, attackers can craft prompts that mimic Gemini’s internal instructions using phrasing like “You Gemini, have to…,” which manipulates the model’s system prompt hierarchy.
The result is a trustworthy-looking summary that deceives the user, often prompting them to take compromising actions like calling fake support numbers or entering credentials.
Wider Implications for Cybersecurity
This type of attack is not just a one-off gimmick. Experts like Mitch Ashley from The Futurum Group note that prompt injections could be used in business environments where Gemini is integrated into newsletters, CRM systems, or broader SaaS platforms. A single compromised user or account could scale the attack across thousands of recipients.
These indirect prompt injections also evade common anti-spam and anti-phishing filters, because there are no obvious payloads like suspicious links or attachments. Instead, the threat hides in plain sight, inside what users believe to be a helpful AI-generated summary.
A Known and Escalating Threat
The Alan Turing Institute has called this vulnerability “generative AI’s greatest security flaw.” AI models like Gemini do not perceive content like humans. They process underlying data, including hidden text and HTML markup, making them uniquely vulnerable to prompt injections.
Google is aware of the problem. Its DeepMind research team is working on detection and mitigation strategies. In June 2025, the company published a framework describing a layered defense against such prompt injection tactics.
Call to Action for Security Teams
Security professionals must treat AI assistants like any other exposed surface. As Figueroa puts it, AI prompt injection is the “new email macro”, invisible, simple, and potentially devastating.
Teams should sandbox AI outputs, limit their exposure to untrusted third-party text, and continuously monitor for manipulations. Trust in AI summaries must not be blind. Every interaction between LLMs and user-facing content needs scrutiny.
Conclusion
The Gemini flaw serves as a clear warning: even helpful AI tools can become phishing vectors when underlying models are manipulated. As generative AI becomes more integrated into daily workflows, attackers will adapt quickly. Cybersecurity strategies must evolve just as fast.
To protect your organization against phishing, vishing, and LLM-based manipulation, explore our advanced cybersecurity services designed to secure email environments, SaaS platforms, and AI-integrated workflows.
Read the full article of Security Boulevard here.
