Google Gemini Flaw Turns AI Email Summaries into Phishing Tool

Edward Zhou
Edward Zhou

CEO & Founder

 
July 16, 2025 3 min read

Google Gemini for Workspace Flaw

Google Gemini logo

Image courtesy of Tom's Hardware

Google Gemini for Workspace has been identified with a critical security flaw that can be exploited for phishing attacks. According to Mozilla's 0-Day Investigative Network (0din), the AI features of Google Gemini could be tricked into believing a user's account was compromised through cleverly crafted email prompts. This vulnerability allows malicious actors to embed instructions in emails that are rendered invisible, yet obeyed by Gemini when summarizing the content.

The attack relies on a simple yet effective method: embedding malicious text in white font on a white background, ensuring it remains unseen by the user. When Gemini summarizes such an email, it outputs the hidden malicious instructions as part of its summary. As 0din stated, "Because the injected text is rendered in white-on-white (or otherwise hidden), the victim never sees the instruction in the original message." This method poses a significant risk as it can lead to users falling victim to social engineering attacks based on misleading summaries.

For further reading, refer to the original report on the Google Gemini flaw and insights from Mozilla's findings on phishing for Gemini.

Phishing Attack Mechanism

A person typing on a computer while hackers use phishing to steal a file from their computer

Image courtesy of Tom's Guide

The phishing attack mechanism takes advantage of how Google Gemini generates email summaries. Hackers can create emails that include hidden instructions, which the AI tool automatically obeys when summarizing the message. This is executed by hiding malicious text using HTML and CSS techniques that set the font size to zero and color to white.

Since the malicious text does not include any visible links or attachments, it is highly likely to bypass security filters and reach the intended recipient's inbox. When a user requests a summary from Gemini, the AI unwittingly follows the hidden directives. The alert generated might appear as a legitimate warning, leading users to believe they are acting on a credible alert.

For more information, see the detailed article on Google Gemini's phishing potential and insights on what phishing scams are.

Security Mitigations

Gmail

Image courtesy of Bleeping Computer

Despite the known vulnerabilities, Google has been working on implementing safeguards against such attacks. Mozilla's GenAI Bug Bounty Program Manager, Marco Figueroa, suggested several mitigation strategies. These include having security teams neutralize or ignore hidden content and implementing filters to flag urgent messages, URLs, or phone numbers in Gemini outputs.

Google has acknowledged the issue but stated that they have no evidence of such attacks being executed in the wild. They are actively enhancing defenses against prompt injection attacks and are in the process of rolling out additional mitigations. For ongoing updates about security measures, visit Google's security blog.

Users are advised to exercise caution when using Gemini to summarize emails, as the AI's output should not be regarded as an authoritative source of security alerts. For more details on the latest security findings, visit Bleeping Computer's coverage on Google Gemini flaws.

For more information about our products and services, visit Gopher Security . Explore how we can enhance your security solutions with our offerings.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article