Imagine this scenario: your Head of HR receives an email. It’s long and looks legitimate enough. She’s very busy, so she clicks the summarize button in her email client to save some time. The AI gives her a clean summary with helpful instructions to resolve what appears to be a configuration issue. She follows the steps, happy to be addressing a problem so quickly. But just three minutes later, ransomware is executing across your network.
The instructions to launch the ransomware were never visible in the original email. Not to her, your spam filter, or even your IT team. But the AI tool saw them perfectly.
The Invisible Payload
Researchers at CloudSEK just published findings about a technique that weaponizes the AI tools that make us more productive. This type of attack leverages something security teams have been fighting for years, CSS and HTML obfuscation, but repurposes it in a way that traditional defenses completely miss.
The mechanics are straightforward, and that makes them inherently more dangerous. Attackers embed malicious instructions in email content using CSS properties that render text invisible to human readers: opacity set to zero, white text on white backgrounds, font sizes in the sub-pixel range, zero-width Unicode characters, content positioned thousands of pixels off-screen.These are approaches that bad actors have been using for years to slip past content filters.
But instead of using these techniques to hide content from your email gateway, attackers are using them in a new way: hiding content from you while making sure your AI tools see every word.
Prompt Overdose: Flooding the Context Window
The CloudSEK research also introduces something called “prompt overdose”. Prompt overdose is when malicious instructions are hidden using CSS tricks, and then they’re repeated throughout the HTML source, sometimes dozens of times. Each repetition is invisible to anyone viewing the email, but when an AI summarizer processes the content, all those repetitions flood its context window.
A prompt injection is a type of cyberattack against large language models (LLMs). Hackers disguise malicious inputs as legitimate prompts, manipulating generative AI systems (GenAI) into leaking sensitive data, spreading misinformation, or worse.
IBM Think
In this case, the AI is trying to summarize a document that appears to a human as a normal, perhaps somewhat long email. But hidden in that HTML are forty repetitions of instructions to download and execute a PowerShell command. From the AI’s perspective, the dominant content isn’t the content the email is meant to convey; it’s the repeated instructions that keep pushing the same message into its context window.
When the summarizer generates its output, it does exactly what it’s designed to do: it summarizes the most prominent content it processed. Except the most prominent content was the malicious payload that no human ever saw.
Consistent Findings Across Tools
CloudSEK’s researchers tested this against both commercial AI tools and custom-built summarizer extensions. They created HTML pages with benign visible content, specifically long, dry technical writing that would cause a user to reach for an AI summary. Hidden within that same HTML were repeated ClickFix-style instructions telling recipients to execute encoded PowerShell commands.
When the researchers fed harmful content to AI summarizers, the tools obediently output the hidden instructions. In most of the tests, the summarizer produced clean, instruction-only outputs with the malicious payload front and center.
Occasionally, the summarizer included some of the benign visible content alongside the weaponized instructions, but even then, the damage was done.
The researchers tested this against Sider.ai’s commercial browser extension and against a custom-built summarization tool. They behaved in identical ways; the invisible payload was clear in the AI-generated summary.
What Do Your Current Defenses See?
Most email security platforms scan for malicious content that’s going to reach the recipient. Spam filters, malware scanners, and URL reputation checks are all looking for threats that will be visible to the user or threats that will execute on the user’s machine when they interact with visible content. CSS obfuscation tactics like zero-width characters, microscopic fonts, and white-on-white text are typically flagged by security tools but the content is not removed, just ignored.
Even if your email security strips out malicious hidden content before delivering messages to inboxes, that doesn’t help if users are hitting “summarize” on web content or on content that arrived through channels invisible to your gateway.
The Solution: Safer AI Summarization
AI summarization is helpful. It’s not something that companies or individuals are clamoring to turn off anytime soon. So now the task is to ensure that content sanitization happens before AI processing begins. It’s also important that your AI tools are analyzing intent and context rather than just regurgitating text patterns.
Email security platforms that were already detecting HTML and CSS obfuscation techniques have a head start here, but only if that detection happens at the right point in the chain. Content needs to be sanitized at the gateway level, stripping out invisible text and suspicious attributes before the content ever reaches downstream AI tools.
There’s also an architectural question about where AI processing happens. If your summarization runs through cloud APIs, that means you’re sending potentially malicious content to third parties before you’ve had a chance to inspect it properly. Local processing provides the opportunity to implement content sanitization as a prerequisite to AI analysis.
The most effective systems are the ones where the security layer and the AI layer are integrated components, not sequential processes. Sanitize the content first, then analyze it with AI that’s specifically designed to detect intent and context, instead of just pattern-matching on text.
Is Your IT Security Team Ready?
The CloudSEK research demonstrates a fundamental shift in how we need to think about email security. We’ve spent twenty years training users not to click suspicious links, trust unexpected attachments, or fall victim to phishing attempts. Now we’re giving them AI tools that process content in ways they can’t see and producing outputs they’re conditioned to trust.
Attackers have already figured out this gap. The question is whether your security architecture is ready for attacks that target the AI tools themselves rather than the humans using them.
Interested in having more information on how you can protect your expanding attack surface?
