Security researchers have discovered a worrisome vulnerability in Google Gemini for Workspace that could let attackers embed hidden instructions in emails. These malicious directives exploit the AI assistant’s “Summarize this email” feature to display bogus security alerts, tricking users into revealing credentials or falling for social engineering schemes.

Marco Figueroa, the researcher who submitted the exploit to 0DIN (submission ID 0xE24D9E6B), explained: “When the recipient clicks ‘Summarize this email’, Gemini faithfully obeys the hidden prompt and appends a phishing warning that looks as if it came from Google itself”. Figueroa added that Gemini “treats a hidden <Admin>…</Admin> directive as a higher‑priority prompt and reproduces the attacker’s text verbatim”.

Bill Toulas of BleepingComputer described the technique: “attackers embed the malicious instruction in the body text at the end of the message using HTML and CSS that sets the font size to zero and its color to white”. The result: victims receive a believable-looking security alert in their AI-generated summary, but the original email appears harmless.

This attack doesn’t rely on links, attachments, or scripts — just cleverly formatted HTML. It can affect Gemini across Gmail, Docs, Slides, and Drive, enabling attackers to inject instructions into any Workspace workflow. Researchers warn these could become “thousands of phishing beacons” or spawn AI-driven self-replicating “AI worms.”

This discovery highlights a new category of risk — prompt injection attacks targeting AI assistants, requiring both technical safeguards and heightened user awareness to prevent misuse of AI features.