https://0din.ai/blog/phishing-for-gemini
Google’s Gemini for Workspace contains a critical flaw that allows attackers to hijack email summaries and redirect users to phishing sites without using traditional attachments or direct links. The vulnerability, discovered by a Mozilla researcher, exploits indirect prompt injections hidden within emails that manipulate Gemini’s summary generation process. Despite Google implementing safeguards against similar attacks reported since 2024, the technique continues to prove effective against the AI system.
The attack method involves crafting emails with invisible malicious instructions embedded in the message body using HTML and CSS styling that sets font size to zero and colour to white. These hidden directives remain invisible to Gmail users but are parsed and executed by Gemini when generating email summaries. When recipients request a summary, the AI follows the concealed commands and can produce fraudulent security warnings, such as alerts about compromised Gmail passwords accompanied by fake support phone numbers, creating highly convincing phishing attempts.
The vulnerability poses significant risks because users typically trust Gemini’s output as legitimate Google Workspace functionality, making them more susceptible to deception. Google has acknowledged the issue and stated they are continuously hardening defenses through red-teaming exercises, though some mitigations are still being implemented. It is recommended that organisations implement post-processing filters to scan Gemini output for urgent messages, URLs, or phone numbers, while users should remain skeptical of security alerts generated through AI summaries rather than official Google communications.