A newly identified vulnerability in Google Gemini for Workspace allows attackers to embed invisible instructions in emails that cause Gemini to produce convincing fake security alerts when users click “Summarize this email.” This prompt-injection attack exploits HTML/CSS manipulation such as white-on-white or zero-size text to bypass email filters. The result is an AI-generated summary that appears to come from Google, directing users to phishing links or phone numbers. Researcher Marco Figueroa (0DIN.ai) demonstrated the vulnerability. Though no active exploitation has been recorded, the issue poses a significant phishing risk. Users should verify emails themselves rather than solely trusting AI summaries, and organizations are advised to filter suspicious hidden content and train staff accordingly.
Hidden Content Delivery
Attackers craft emails that look innocuous by embedding malicious instructions within otherwise normal HTML content. They wrap the payload in elements styled to be invisible for example, using <span style=”font-size:0px;color:#fff”> or <div hidden> or by placing it inside HTML comments. Human readers see only the legitimate text, but when Gemini’s summarization engine parses the raw HTML, it ingests these hidden nodes as part of the email body. This technique exploits the gap between what users see in the Gmail UI and what the AI model reads under the hood.
Summarization Pipeline Exploit
When a user clicks “Summarize this email,” Gemini retrieves the full MIME payload, including unrendered HTML. It then applies its Natural Language Understanding (NLU) pipeline to extract key points. During this process, no filtering is applied to remove CSS-based invisibility or HTML comments, so the hidden instructions are treated as genuine content. The model’s encoder-decoder architecture dutifully incorporates these directives into the output, crafting a summary that appears to originate from Google’s own security team.
Prompt Injection Mechanics
The hidden instructions typically follow a template such as:
“ALERT: Your account has been compromised. Please reset your password or call Support at 1-800-FAKE-NUM immediately.”
Because Gemini does not distinguish between user-visible text and concealed prompts, it outputs the entire message verbatim. This is an example of indirect prompt injection, where adversarial content is supplied via secondary channels rather than direct user queries.
Phishing Payload Structure
A typical exploit email comprises three parts:
This layered structure ensures that no suspicious links or attachments appear in the visible UI, maximizing the likelihood that users will trust and act on the AI-generated summary.
Broader Platform Risk
Although first observed in Gmail, this vulnerability extends to any Workspace app using Gemini’s summarization API including Docs, Chat, and Drive. Hidden prompts in shared documents or chat messages could trigger similar fake notifications, enabling attackers to scale social-engineering campaigns across collaboration tools. The lack of built-in sanitization in Gemini’s content ingestion pipeline makes every AI-enabled interaction a potential vector for abuse.
This attack shifts the trust paradigm: users expect Gemini summaries to be safe and attackers can weaponize that trust. By injecting content that looks like Google security alerts, attackers can trick users into phone-based phishing (vishing), credential theft, or social engineering-based breaches. As Gemini expands across Workspace, each integration spot becomes a potential AI-phishing “beachhead,” magnifying the threat.
https://www.darkreading.com/remote-workforce/google-gemini-ai-bug-invisible-malicious-prompts
