Security researchers have discovered a clever method to trick Google's Gemini assistant into pushing fake warnings as part of its email summaries. By hiding instructions inside the code of an email, attackers can make Gemini generate alerts that look real but actually guide people straight into phishing traps.
The technique relies on a sneaky loophole. Instead of adding suspicious links or attachments that might trigger spam filters, attackers slip commands into the body of the email using styling tricks. They hide messages with white text, zero-sized fonts, or off-screen elements. These lines are invisible to the reader, but Gemini still sees them when it scans the email to create a summary.
Once the user clicks “Summarize this email,” Gemini includes whatever was buried in the background, even if it’s a fake security alert about a stolen password or an urgent request to call a phone number. The summary ends up sounding like a warning from Google itself, even though it's entirely fake. Because Gemini is part of Google Workspace, people tend to trust it, which makes the scam even easier to fall for.
This specific attack was flagged by Marco Figueroa, who submitted his findings to Mozilla’s 0din bug bounty program. According to the report, the trick works by wrapping hidden commands in tags like <Admin> or by addressing Gemini directly. The model tends to treat these prompts as important, so it repeats them word for word, even if they came from someone trying to cause harm.
There’s no need for users to click on links or download anything. The danger hides in plain sight, or more accurately, out of sight. As long as the message reaches someone who uses the summarization tool, the rest happens behind the scenes.
This kind of attack is called an indirect prompt injection. In simple terms, Gemini is being fed instructions without realizing they came from a shady source. Instead of typing a command into the AI directly, the attacker sneaks it into something Gemini is supposed to summarize. The model sees the prompt, follows it, and out comes a message that looks official but isn’t.
What makes the attack so sneaky is that it plays with trust. Gemini has built-in safety systems, but most focus on filtering out dangerous content the user can see. These hidden tricks sidestep that protection. Since Gemini still processes the email’s raw HTML, anything tucked inside it, whether it’s white-on-white text or invisible tags, gets through.
Security experts say the best defense is a mix of smart filtering and better training. Email systems should strip out or ignore code that hides text from human eyes. AI models like Gemini could also use guardrails that flag or ignore anything hidden in this way. Another option is adding post-checks to summaries, scanning them for urgent phrases, phone numbers, or suspicious patterns before showing them to users.
The problem isn’t limited to email either. Gemini is tied into other parts of Google’s tools, including Docs, Slides, and Drive. That means any app where Gemini summarizes user content could become a new target if attackers use the same approach. In businesses, newsletters, or automated ticketing systems, a single poisoned email could trigger a much wider spread.
Similar injection tactics could also be adapted to other AI tools, such as ChatGPT, Claude, or Grok, wherever those systems summarize outside content without isolating hidden instructions.
Some researchers warn that this trick could evolve into something more dangerous down the road. It’s not just a phishing problem, it could grow into a way for attackers to spread commands automatically from inbox to inbox, like digital worms that travel through AI models instead of computer code.
Although Google says it hasn’t seen this kind of exploit being used in real-world attacks yet, the company has confirmed that it’s working on new protections. Until those are in place, users and security teams are being advised not to treat Gemini summaries as rock-solid truth. If something smells off, it probably is.
At the end of the day, if someone can get a machine to whisper something behind your back, and make it sound like it came from a trusted source, then even invisible words can pack a punch.
Note: This post was edited/created using GenAI tools.
Read next: The Reality Of Coding A Website Isn’t What Most People Expect
The technique relies on a sneaky loophole. Instead of adding suspicious links or attachments that might trigger spam filters, attackers slip commands into the body of the email using styling tricks. They hide messages with white text, zero-sized fonts, or off-screen elements. These lines are invisible to the reader, but Gemini still sees them when it scans the email to create a summary.
Once the user clicks “Summarize this email,” Gemini includes whatever was buried in the background, even if it’s a fake security alert about a stolen password or an urgent request to call a phone number. The summary ends up sounding like a warning from Google itself, even though it's entirely fake. Because Gemini is part of Google Workspace, people tend to trust it, which makes the scam even easier to fall for.
This specific attack was flagged by Marco Figueroa, who submitted his findings to Mozilla’s 0din bug bounty program. According to the report, the trick works by wrapping hidden commands in tags like <Admin> or by addressing Gemini directly. The model tends to treat these prompts as important, so it repeats them word for word, even if they came from someone trying to cause harm.
There’s no need for users to click on links or download anything. The danger hides in plain sight, or more accurately, out of sight. As long as the message reaches someone who uses the summarization tool, the rest happens behind the scenes.
This kind of attack is called an indirect prompt injection. In simple terms, Gemini is being fed instructions without realizing they came from a shady source. Instead of typing a command into the AI directly, the attacker sneaks it into something Gemini is supposed to summarize. The model sees the prompt, follows it, and out comes a message that looks official but isn’t.
What makes the attack so sneaky is that it plays with trust. Gemini has built-in safety systems, but most focus on filtering out dangerous content the user can see. These hidden tricks sidestep that protection. Since Gemini still processes the email’s raw HTML, anything tucked inside it, whether it’s white-on-white text or invisible tags, gets through.
Security experts say the best defense is a mix of smart filtering and better training. Email systems should strip out or ignore code that hides text from human eyes. AI models like Gemini could also use guardrails that flag or ignore anything hidden in this way. Another option is adding post-checks to summaries, scanning them for urgent phrases, phone numbers, or suspicious patterns before showing them to users.
The problem isn’t limited to email either. Gemini is tied into other parts of Google’s tools, including Docs, Slides, and Drive. That means any app where Gemini summarizes user content could become a new target if attackers use the same approach. In businesses, newsletters, or automated ticketing systems, a single poisoned email could trigger a much wider spread.
Similar injection tactics could also be adapted to other AI tools, such as ChatGPT, Claude, or Grok, wherever those systems summarize outside content without isolating hidden instructions.
Some researchers warn that this trick could evolve into something more dangerous down the road. It’s not just a phishing problem, it could grow into a way for attackers to spread commands automatically from inbox to inbox, like digital worms that travel through AI models instead of computer code.
Although Google says it hasn’t seen this kind of exploit being used in real-world attacks yet, the company has confirmed that it’s working on new protections. Until those are in place, users and security teams are being advised not to treat Gemini summaries as rock-solid truth. If something smells off, it probably is.
At the end of the day, if someone can get a machine to whisper something behind your back, and make it sound like it came from a trusted source, then even invisible words can pack a punch.
Note: This post was edited/created using GenAI tools.
Read next: The Reality Of Coding A Website Isn’t What Most People Expect
