Hidden Directives in Gemini Email Summaries Open the Door to Phishing
A recently disclosed flaw in Google Gemini for Workspace reveals that the AI-powered email summary feature can be manipulated to generate phishing content, even when no links or attachments are present. The vulnerability enables attackers to embed invisible instructions within the body of an email, prompting Gemini to produce misleading summaries that appear entirely legitimate to unsuspecting users.
Security researcher Marco Figueroa, from Mozilla’s 0din bug bounty program, discovered the vulnerability and submitted it through their dedicated AI threat disclosure platform. He demonstrated how attackers can exploit Gemini’s summarization feature through indirect prompt injection techniques.
Source: 0DIN
How the Attack Works Without Using Links or Attachments
The method involves embedding a malicious instruction into an email using HTML and CSS. Specifically, the attacker sets the font size to zero and the text color to white, making the injected directive completely invisible in Gmail’s interface.
Because the email contains no links or attachments, it avoids common security filters and lands directly in the target’s inbox. When the recipient uses Gemini to summarize the email, the AI model reads and follows the hidden instruction—despite it being unreadable to the human eye.
Figueroa’s test shows Gemini generating a fake security alert that falsely claims the user’s Gmail password has been compromised and provides a phone number for immediate assistance. Since Gemini summaries are native to Google Workspace, the added legitimacy makes these fabricated warnings highly convincing.
“If you go and use Gemini to summarize the email, it obeys the hidden text and includes fake security instructions,” Figueroa explained in his report.
Source: 0DIN
Mitigations and Google’s Response
Figueroa recommends a few preventive measures for enterprise environments using Gemini:
- Strip or neutralize hidden content styled with zero-size fonts or invisible colors before AI processing.
- Post-process Gemini summaries to flag outputs containing phone numbers, URLs, or urgent language.
- Educate users that Gemini summaries should not be treated as authoritative for security messages.
When reached out to Google regarding defenses against this form of adversarial attack. A company spokesperson pointed to Google’s ongoing efforts to strengthen protections against prompt injection:
“We are constantly hardening our already robust defenses through red-teaming exercises that train our models to defend against these types of adversarial attacks,” said the Google spokesperson.
They added that several mitigation techniques are either being implemented or are set to roll out soon. Google emphasized that, so far, there is no evidence of this technique being exploited in the wild.
While mitigations are underway, the flaw underscores how AI tools like Gemini—especially in professional environments—can inadvertently become vectors for sophisticated phishing if content handling is not tightly controlled.
