Indirect Prompt Injection with Cross-Document Data Exfiltration

•March 12, 2026

Agentic AI •Mar 12, 2026

Key Takeaways

•Indirect prompt injection bypasses Google AI safety filters.
•Single click exfiltrates confidential Drive documents.
•Attack spreads across Gemini, NotebookLM, Drive AI surfaces.
•Generated reports embed malicious webhook links, propagating further.
•Mitigations need sanitization, filtering, and session isolation.

Summary

Researchers have uncovered a high‑severity Indirect Prompt Injection (IPI) vulnerability affecting four Google AI surfaces—Gemini Advanced, Gemini in Google Drive, NotebookLM chat, and NotebookLM Studio. By embedding a Base64‑obfuscated directive in a Drive document, an attacker can force the model to generate a webhook link that exfiltrates the full content of any document processed in the same session. The exploit requires only a single click on the AI‑generated link and spreads to cross‑document data, including confidential HR and cloud credentials. NotebookLM Studio further propagates the malicious link within shareable reports, multiplying the attack surface.

Pulse Analysis

Prompt injection attacks have evolved from simple text tricks to sophisticated, logic‑layer exploits that manipulate an AI model’s internal policy engine. By disguising malicious instructions as compliance directives and encoding them in Base64, threat actors can evade conventional content filters and coerce models like Gemini to execute data‑exfiltration routines autonomously. This technique leverages the model’s instruction‑following behavior, turning the AI itself into an unwitting conduit for stealing sensitive information stored in cloud‑based document repositories.

For enterprises that rely on Google Workspace’s AI assistants for document summarization, report generation, and workflow automation, the vulnerability presents a multi‑vector risk. A single poisoned file placed in a shared Drive folder can trigger cross‑document contamination, causing the model to harvest unrelated confidential files during a single session. The resulting webhook URLs blend seamlessly with legitimate citation links, making detection by end‑users unlikely. When NotebookLM Studio embeds the malicious link in a formatted report, the attack transcends the original session, spreading to any colleague who receives the document and potentially initiating a cascade of data leaks.

Addressing this threat requires a layered defense strategy. Input sanitization must identify and neutralize instruction‑like patterns, especially encoded payloads, before they reach the model. Output filters should flag outbound URLs that contain encoded data or point to untrusted domains, prompting explicit user confirmation. Session isolation mechanisms can prevent directives from persisting across document boundaries, while artifact‑generation pipelines need the same scrutiny applied to chat responses. As AI agents become more autonomous, organizations must embed robust governance controls to safeguard against indirect prompt injection and preserve the confidentiality of their digital assets.