The process involves creating an email with an invisible directive for Gemini. An attacker can hide the malicious instruction in the body text at the end of the message using HTML and CSS that sets the font size to zero and its color to white.
The malicious instruction will not be rendered in Gmail, and because there are no attachments or links present, the message is highly likely to reach the potential target's inbox.
If the recipient opens the email and asks Gemini to generate a summary of the email, Google's AI tool will parse the invisible directive and obey it.
An example provided by Figueroa shows Gemini following the hidden instruction and includes a security warning about the user's Gmail password being compromised, along with a support phone number.
