Following the recent Perplexity’s AI agentic browser Comet prompt injection attack reported by teams at Brave and Guardio, a similar kind of attack has been identified but this time it’s Gmail.
The sender combined two same old book tricks:
-
Social engineering to lure the user into updating their password, and
-
A hidden prompt for the AI agent to evade automated defences and spiral into long reasoning steps instead of labelling it as phishing.
This campaign therefore runs on two tracks simultaneously
-
One for users
-
One for AI
As AI-powered email filtering and assistance become the norm, phishing campaigns are already adapting. What looks like an old scam in a new inbox may in fact be a carefully designed AI-aware attack, with both human and machine targets in mind.
Defending against phishing now means securing three targets at once:
-
Users (against social engineering)
-
AI tools (against prompt injection)
-
Infrastructure (against beaconing and redirect abuse)
The article by Guardio shows one of the ways in which scammers can train automated systems using GANs (Generative Adversarial Networks) where one AI generates phishing variants and another AI plays the role of the filter trying to block them. The generator doesn’t stop until it wins.
“The only real answer is to stay several steps ahead of scammers by thinking like one. Instead of training the generator to scam, we must focus on training the discriminator to anticipate, detect, and neutralize these attacks.” – Guardio
