A recently identified vulnerability in Google Gemini for Workspace may enable cyber attackers to generate email summaries that appear legitimate but actually contain harmful instructions, potentially leading users to phishing sites without the need for attachments or direct links. The vulnerability was reported to 0DIN, the 0Day Investigative Network, as part of Mozilla’s GenAI bug bounty program.
According to a blog post by Marco Figueroa, the technical product manager for GenAI bug bounty, the attack exploits crafted HTML and CSS within the email body. The harmful instructions are disguised from users because they remain invisible during the original message display. The issue manifests when users ask Gemini to summarize their unread emails; they receive a response that seems credible but is actually manipulated by the attacker.
Once users receive the modified summary from Gemini, the embedded phishing warning could lead them to leak credentials or fall victim to social engineering attacks, such as voice phishing (vishing). Despite previous reports of similar indirect prompt attacks in 2024, safeguards implemented since then have proven insufficient against this enduring vulnerability.
Security experts emphasize the need for organizations to adopt a range of detection and defense strategies, such as removing or neutralizing any content designed to be hidden within the email body. As noted in the blog, security teams might also consider establishing a post-processing filter to review Gemini outputs for critical messages, URLs, or phone numbers that may indicate malicious intent. The incident highlights broader risks related to supply chains, revealing how compromised software-as-a-service (SaaS) accounts could become vectors for phishing scams.