Users are advised not to trust Gemini summaries as definitive security alerts due to potential manipulation.

The exploit was disclosed by Mozilla researcher Marco Figueroa through the Mozilla bug bounty program for generative AI tools.

Google Gemini for Workspace has a vulnerability that allows attackers to embed hidden malicious instructions within email summaries, leading to potential phishing attacks.

Researchers warn that compromised SaaS accounts could serve as phishing hubs, amplifying the threat through automated email campaigns.

Mitigation strategies include HTML sanitization, using LLM firewalls, and training users to treat AI-generated summaries as informational rather than authoritative.

The flaw affects multiple Google Workspace apps, including Gmail, Docs, Slides, and Drive, raising concerns about AI-driven propagation of malicious content.

AI providers like Google are advised to implement HTML sanitization, improve context attribution, and enhance explainability to counteract this vulnerability.

Security experts classify this as an indirect prompt injection (IPI) with moderate social impact, according to the 0DIN taxonomy.

Malicious content is hidden in email bodies through indirect prompt injections, rendering it invisible to users.

Security teams can mitigate these threats by neutralizing hidden email content and scanning Gemini's output for suspicious messages.

Google is actively working to improve defenses against such prompt injection attacks, though no confirmed incidents have been reported so far.

This vulnerability involves a prompt-injection technique where crafted HTML and CSS in emails manipulate Gemini's processing, causing it to display fabricated security alerts.

Attackers can insert invisible elements that generate urgent security warnings, prompting users to call phone numbers or visit phishing sites.

The attack exploits hidden malicious instructions using invisible HTML and CSS, making detection difficult without links or scripts.