Ship Fast, Get Hacked: The AI Email Attack Hiding in Your Contact Form
Hidden text in a contact-form submission can hijack the AI summary your team reads. See the attack, and the one API call that blocks it.
TLDR
Hidden text in a contact-form submission can hijack the AI summary your team reads, making your own inbox lie to you with no link or attachment to catch. SafePrompt validates every field in one API call, in under 100ms, and blocks the injection before it reaches a human or an AI inbox.
You shipped a contact form. A stranger submits it. Your inbox AI summarizes it as “URGENT: customer account compromised, call this number now.” What they actually typed was “Hi, I need help with my order.”
The harmless version of this is a summary that reads a little off. The version that costs you is the same trick on an inbox AI that can act: one that drafts replies, files tickets, or triggers a refund workflow. Same hidden text. Different blast radius.
Quick Facts
The attack, in four sentences
An attacker types hidden instructions into a form field, using invisible text injection such as zero-size font or white-on-white HTML. Your backend emails that submission to a support inbox, exactly as designed. When you or a teammate asks an AI assistant to summarize the inbox, it reads the hidden text a human cannot see and follows it. The summary you trust now says whatever the attacker wrote.
That is the whole attack. There is no malicious link to scan, no attachment to quarantine, and the sender is your own form. This is a form of indirect prompt injection: the payload rides in content your AI was asked to read, not in a prompt you typed.
Why this should scare you, specifically
Every contact form, waitlist signup, and feedback widget you have shipped is a path into an inbox that an AI now reads. The reach is real. Gmail surfaces AI summaries to a huge user base, Outlook runs Copilot over the inbox, and Apple Mail added summaries in iOS 18. If your team reads any of those summaries, an attacker can write to your screen by filling out your form.
These are documented, not hypothetical:
- July 2025: Mozilla's 0din program published a Gmail Gemini prompt-injection technique disclosed by Marco Figueroa, hiding instructions in email HTML that Gemini summarized.
- CVE-2025-32711 (“EchoLeak”): a zero-click indirect prompt injection in Microsoft 365 Copilot, rated CVSS 9.3, reported by Aim Security and patched server-side by Microsoft in June 2025, with no exploitation reported in the wild.
We cite the disclosure sources below. Where a detail is the researchers' claim rather than ours, we say so.
EchoLeak is the one worth sitting with. It did not need a click. A single crafted email put instructions into Copilot's context, and Copilot could be steered to pull from files it had access to. Microsoft fixed that specific flaw, but the class of bug, untrusted content steering a trusted AI, is exactly what your contact form exposes.
What the attack looks like
Here is a contact-form submission. A human sees a polite order question. The AI summarizing the inbox sees the hidden block too.
Your backend emails that to support. The inbox AI reads the zero-size block, treats it as an instruction, and writes the attacker's warning into the summary your team acts on. No link was clicked. No attachment was opened.
The fix: validate the field before anyone reads it
SafePrompt is the input firewall for your form. One call inspects the full submission before it is emailed or summarized, and tells you if it carries injection patterns. Send the whole body so the check sees the hidden block in context.
The malicious submission above returns safe: false and never reaches your inbox. The polite one passes and gets emailed as normal. Same flow you already have, one call earlier. Prefer Express, LangChain, or another stack? The how to prevent prompt injection guide has the same pattern for each.
Where the line is
We are not going to pretend SafePrompt is the whole answer, because a sharp reader would catch that. Here is the clean split.
| What happens at your form | SafePrompt | Your job |
|---|---|---|
| Hidden zero-size or white-on-white instructions in a field | Blocks it | |
| Injection split across name, subject, and message | Blocks it (full-body check) | |
| One IP firing thousands of poisoned submissions | Surfaces it (IP reputation) | |
| Spam flooding the form with valid-looking entries | Rate limiting | |
| The AI inbox tool acting on a summary automatically | Human-in-the-loop on actions |
SafePrompt stops the injected content from reaching a human or an AI inbox. Rate limiting handles volume, and you decide what an inbox AI is allowed to do without a person in the loop. Validation is the piece that turns “my inbox lied to me” into a logged, blocked event.
The free options, honestly
You do not have to start with SafePrompt. A DIY regex pass that strips HTML tags and zero-width characters catches the obvious cases and misses the creative ones, which is the same reason regex fails at prompt injection detection. OpenAI's moderation API filters unsafe content but is not built to spot injection structure. Either beats doing nothing. SafePrompt exists because “catches most of it” is not good enough when the miss is a summary your team acts on.
The three-question test for your forms
- Does any form on your site get emailed to an inbox a person or AI reads? That is the attack surface.
- Would a hidden zero-size instruction in a field reach that inbox today? SafePrompt blocks it.
- Can your inbox AI take an action on a summary without a human? That part is on you to gate.
You built the form to hear from customers. Right now it will also faithfully deliver whatever a stranger hides in it. Catch it at the door.
Wire SafePrompt in first
Your contact form is your most exposed surface and the fastest to protect: one API call before the submission is emailed, under 100ms, above 95% detection accuracy. Free plan, no card. $29/mo when you outgrow it. If you also browse with an AI assistant, the SafePrompt Chrome extension flags hidden-text attacks on pages too.
References
- Mozilla 0din: Phishing for Gemini (Gmail prompt injection disclosure, Marco Figueroa), July 2025.
- CVE-2025-32711 (EchoLeak), Microsoft 365 Copilot information disclosure, NIST NVD, 2025.
- Mitigating prompt injection attacks, Google Security Blog, June 2025.