Gmail Phishing with Prompt Injection: Tricks Humans and AI. Are You Ready?

1 Star2 Stars3 Stars4 Stars5 Stars (11 votes, average: 5.00 out of 5)
Loading...
Published: August 26, 2025
Gmail Phishing with Prompt Injection

Your email security is locked down? Do you think your AI-powered filters can catch anything hackers throw at you?

A new phishing attack targeting Gmail users is so clever, it’s not just designed to fool you. It’s designed to fool the very AI that’s supposed to protect you.

This isn’t your average “click here to reset your password” scam. This is a next-level threat that plays psychological games with both humans and machines at the same time. And if you’re not paying attention, it could bypass everything you have in place.

Let’s break down exactly what this attack is, how it works, and what you absolutely must do to protect yourself.

What Does This Phishing Attack Look Like?

On the surface, it looks familiar. Deceptively simple, even. You get an email in your Gmail inbox. The subject line screams urgency.

“Login Expiry Notice 8/20/2025 4:56:21 p.m.”

Your heart misses a beat. Are you locked out of your Gmail account?

The body of the message appears to be official. It has the Google brand that you are familiar with and trusting of. There is a warning that your password is going to expire soon, and you have to “confirm your credentials” to keep your account active.

Gmail Password Expiry Notice

This is a classic social engineering attack. They don’t need to hack you. They need you to panic. “Your password will expire.” That line alone is enough to short-circuit your brain. Urgency makes you act before you think. Authority makes you trust the source. Fear makes you click.

Most people stop there, and that’s why it works. But the real problem isn’t the email itself. The danger lives in the invisible parts of the code behind the link, the place your browser quietly takes you.

Prompt Injection Against AI

Companies don’t just depend on people anymore. They’ve got AI watching the gates. Sophisticated systems in their SOCs that scan and flag bad emails before anyone sees them.

So the attackers asked a different kind of question. What if you attack the guard instead of the gate?

Hide the embedded code. They placed commands not to you, but to the AI. That is a prompt injection attack. By using a deception to make the model work against itself, what is interesting is that they can deceive people. The thing is that they can trick the devices that are supposed to keep us safe.

While the AI is distracted chasing nonsense, the real threat walks right past. What does that buy the attacker? Three things.

First, misclassification. The system stamps “safe” on what’s dangerous. Sometimes it even files it away under “promotions,” which is almost worse. It disappears into noise.

Second, delay. An alert that should take seconds takes minutes or hours. That’s all the time an attacker needs to get a foothold.

And third, complete evasion. In the worst cases, the email glides through untouched, as if the defences weren’t even there.

That’s the clever part. It’s not just a phishing attack anymore. It’s a two-track attack on your emotions on one side, your machines on the other.

The Delivery Chain shows how much Phishing has Evolved

The email came through SendGrid. It passed SPF and DKIM, and even though it failed DMARC, that was enough to get it into the inbox. The first link didn’t go straight to the bad site either. It went through Microsoft Dynamics, which made the hop look legitimate.

Read Also: What is DKIM, DMARC, and SPF?

From there, the attacker set up roadblocks. A CAPTCHA kept out crawlers and sandboxes. Only a real user would get through. On the other side was a Gmail login page with obfuscated JavaScript waiting to steal credentials.

Read Also: Beware: New Phishing Attacks Exploit Google’s DKIM to Trick Gmail Users

They did not leave it at that. This phishing site retrieved IP, ASN, and geolocation information, discarding analysts and considering only the actual victims. A telemetry beacon was monitoring the sessions so that humans and bots could be distinguished.

Even the infrastructure nudges toward who may be behind it. The WHOIS information points the domain to Pakistan, and the beacon URLs also contain words in Urdu and Hindi. Not evidence, a clue.

Read Also: Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts

The larger question is how stacked this is now. It is not only about deceiving people any longer. They are also after deceiving machines and AI.

Read Also: Google Salesforce Breach: Major Vishing Attack That Exposed 2.5M Records

That is the trend that malware is constructed in an attempt to destructively contaminate the tools used in the detection of these attacks. The consequence is an alternate form of arms race. Now you must protect your AI as well as your users against social engineering.

Conclusion

Phishing used to be simple. Now it’s layered, AI-aware, and built to fool both people and machines. The defenders have to evolve just as fast because the attacks already have.

If you want to stay ahead of these threats, contact us for cybersecurity services.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.