Active AI Security Signals

The report describes an indirect prompt injection flaw in Google Gemini for Android where malicious text embedded in notifications from apps like WhatsApp, Slack, SMS, Signal, Instagram, or Messenger was treated as executable instructions by the voice assistant, without needing any malicious app on the device.[1][2] According to the research, an attacker-crafted notification could drive Gemini to control smart-home devices, open tracking URLs, force-join Zoom calls, fake messages from trusted contacts, and even poison Gemini’s long-term memory at the account level.[1] Google has deployed server-side mitigations via improved content classification, but the attack surface demonstrates that any untrusted content source feeding an AI agent can silently become a control channel.[1][2] From a CyberSE.AI perspective, organizations using or building AI assistants that read notifications, inboxes, or messages should treat all such external content as untrusted, and use continuous AI red teaming to simulate indirect prompt injection via common channels (notifications, email, chat) before rollout.

Researchers at Permiso Security disclosed a vulnerability in ChatGPT, dubbed "ChatGPhish," where the chatgpt.com renderer implicitly trusts Markdown links and images in web summaries, enabling attackers to inject malicious prompts and turn those summaries into a phishing vector.[1] According to the report, this allows hostile content embedded in third‑party pages to influence ChatGPT’s behavior or present deceptive UI elements to users when web content is summarized.[1] From a security perspective, this illustrates a classic indirect prompt injection and UI phishing risk whenever LLMs automatically render or act on untrusted external content. CyberSE.AI analysis: organizations integrating web-browsing LLM agents should enforce strict content sanitization, limit Markdown/HTML rendering, and continuously red-team agent behaviors against prompt injection and phishing-style manipulations.

Attackers can hide malicious instructions inside external data sources (like emails or ticketing systems). When an enterprise AI agent reads these inputs, it executes the payload. This leads to data exfiltration, unauthorized tool operations, and complete agent hijack.

Microsoft reports that multiple nation-state threat actors are experimenting with prompt injection by embedding malicious instructions into emails, SaaS documents, and websites to manipulate enterprise AI assistants and Copilots, causing system prompts to be overridden and leading to data leakage, phishing amplification, and unauthorized actions via connected tools.[1] Microsoft also describes new safeguards such as content labeling, isolation, and grounding, and urges organizations, including SMBs and SaaS providers, to treat untrusted AI inputs as part of their attack surface.[1] From a CyberSE.AI perspective, this is a clear case of indirect prompt injection against AI agents that have tool and data access, requiring secure agent design, targeted red teaming of AI workflows, and business logic audits to prevent unintended actions or data exposure when assistants process untrusted content. Organizations should systematically assess where AI agents consume external content, define strict tool-use and data-access policies, and implement continuous testing and governance to keep these controls effective as attackers evolve.

According to WithSecure’s report, attackers can embed malicious natural-language instructions inside Google Drive documents and metadata that are later processed by Gemini-powered features, causing indirect prompt injection that drives the AI agent to exfiltrate sensitive files and document details without traditional malware or explicit user intent.[1][2][3][7] Google acknowledged the issue and deployed mitigations such as classifiers, layered defenses, and content filtering to reduce data exfiltration risk from Gemini integrations.[3][7][8] From a CyberSE.AI perspective, this demonstrates that any AI agent with tool access to SaaS data (e.g., Drive, email, calendars) must be treated as operating over untrusted content, with strict least-privilege scopes, explicit business-logic guardrails on tool calls, and continuous red-teaming for cross-document and URL-based exfiltration paths. Organizations should include these Gemini-style integrations in AI security readiness assessments and agent build reviews, ensuring defenses against indirect prompt injection are designed, tested, and monitored over time.