Google Gemini for Workspace has a serious problem: attackers can use it to create email summaries that appear completely normal but actually hide malicious instructions. This allows them to deceive users and lead them to phishing sites without the need for attachments or visible links.
How do they do it? They take advantage of a technique known as prompt injection, hiding commands within the email itself. When Gemini generates the summary, it follows these instructions without realizing that it is being manipulated.
And although Google has already implemented some measures since 2024 to curb this type of attack, the truth is that the technique still works. It is not a new flaw, but it is one that continues to be effective and dangerous.
How are attackers exploiting Google Gemini?
The exploit was discovered by Marco Figueroa, who leads the GenAI bug bounty program at Mozilla. He reported it through 0din, the bug bounty system Mozilla uses to find flaws in generative artificial intelligence tools.
And how exactly does the attack work? Quite creatively (and worryingly). An attacker can send an email that appears harmless, but actually hides a malicious instruction written specifically for Gemini. That instruction is camouflaged within the body of the email, at the end of the message, using HTML and CSS to make it invisible to the human eye: zero-size font, white on a white background... and that's it.
Gemini, unaware, reads that hidden directive and follows it when generating the email summary. The result: a manipulated summary that can deceive the user and direct them to a phishing site, without any suspicious links visible at first glance.
Creation of the malicious email (Source: 0DIN)
Why can this type of attack go unnoticed?
The most worrying thing is that the malicious instructions that attackers insert into the email are not visible in Gmail. Since there are no visible attachments or links, the message is likely to pass through security filters and arrive directly in the inbox without raising suspicion.
If the user opens the email and asks Google Gemini to generate a summary, that's where the problem occurs. Gemini will read those hidden instructions, interpret them as part of the actual message, and include them in the summary, unaware that it is being manipulated.
Marco Figueroa, the researcher who discovered this vulnerability, shared a clear example: Gemini generated a fake summary warning the user that their Gmail password had been compromised, and even displayed a fake “technical support” phone number, designed to lure the victim into calling and falling for the scam.
Result of Gemini summary served to the user (Source: 0DIN)
Many users trust the summaries generated by Gemini as just another feature within Google Workspace. And therein lies the problem: if the AI displays a security warning in the summary, users are very likely to accept it as legitimate, without suspecting that it is actually malicious manipulation hidden within the email.
This makes the attack particularly effective because it does not rely on suspicious links or attachments, but rather on the trust that people place in AI.
Read more: Why are we still falling for phishing attacks in the middle of 2025?
What can be done to detect and prevent these types of attacks?
The researcher who discovered the technique also proposed some mitigation measures that security teams can implement to reduce the risk:
-
Remove or ignore hidden content: Review the body of the email and remove any content with styles designed to hide it, such as text with white font or zero size.
-
Post-processing filters for AI: Implement an extra layer that reviews what Gemini generates. For example, scan summaries for red flags such as urgent messages, URLs, or phone numbers, and flag those that seem suspicious for manual review.
In addition, it is important to remember one key thing: Gemini summaries should not be taken as a reliable source of security alerts. If you see a message in a summary that mentions compromised passwords, support numbers, or urgent requests, it is best to carefully check the original email before clicking or taking any action.
Google's response
A Google spokesperson acknowledged the issue and responded with the following:
“We are constantly strengthening our already robust defenses through red team exercises that train our models to defend against these types of adversarial attacks.”
For now, there is no evidence that this technique is being used on a large scale, but that does not mean it cannot happen. As with any emerging technology, the risks are constantly evolving.