Google has changed Gmail, expanding Gemini to millions of users — just as it warns that this kind of AI upgrade opens the door to an “evolving playground” of sophisticated new attacks. Gemini now sits between you and your emails. That may be a major convenience, but it also turns your inbox into a new attack surface.
Gmail users can now “break through information overload to see what matters most,” Google says. “AI Overviews in Gmail search turns information into answers without the digging.” Put simply, when you search for information, “Gemini synthesizes various email threads to create a concise summary of key points.”
That announcement came on Apr. 22, but on Apr. 2, Google warned that “indirect prompt injection (IPI) is an evolving threat vector targeting users of complex AI applications with multiple data sources, such as Workspace with Gemini.” While IPI is used to “influence the behavior” of LLMs to execute attacks, it can also be used to influence the behavior of users themselves.
Imagine an AI summary of your inbox that includes instructions to click links, install software or even approve transactions. These are not instructions you’ve read — but hidden prompts embedded in emails, designed to influence the AI generating your summary and, in turn, the actions you then take.
“IPI is not the kind of technical problem you ‘solve’ and move on,” Google says. This is an “ultra-dynamic and evolving playground for adversarial attacks,” and Google is now taking “a sophisticated and comprehensive approach to these attacks,” and is “continuously improving LLM resistance to IPI attacks.”
In Google’s own screenshot of the new AI summaries in action, it included “8 to-dos” provided by Gemini directly to the user. AI summaries are already available to individuals, but now within an enterprise context they become more critical.
Per Chrome Unboxed, “to see these AI Overviews, you (or your admin) must have Smart features in Gmail and Workspace Intelligence enabled in your settings. Once those are on, your Gmail search bar becomes significantly more than a basic filter—it becomes a researcher that knows your inbox as well as you do.”
Google says that “staying ahead of the latest indirect prompt injection attacks is critical to our mission of securing Workspace with Gemini.” But given this isn’t a problem that’s easily “solved,” the risks remain as Gemini becomes more deeply embedded across Gmail and Workspace — at home and at work.
