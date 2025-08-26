HTML and CSS obfuscation techniques such as zero-width characters, white-on-white text, tiny font sizes and off-screen positioning could allow malicious content to go unseen by human viewers but processed by AI tools such as email summarizers or browser extensions , CloudSEK researchers explained.

Frequently repeating this hidden content, in a technique dubbed “prompt overdosing,” can cause it to flood the context window of AI tools and better ensure the malicious content is relayed in the AI summary.

In a proof-of-concept, CloudSEK combined prompt overdosing and obfuscation to show how AI summarizers can be made to deliver ClickFix instructions to unsuspecting users.

ClickFix is a social-engineering technique that convinces the user to copy, paste and execute malicious commands in their computer terminal in order to fix a supposed error or issue.

The researchers crafted a web page to be summarized by AI that contains repeated hidden instructions to copy and paste PowerShell commands to “resolve an issue.” A user may complete these steps, believing there is problem affecting the AI tool or extension.

In addition to prompt overdosing and HTML/CSS obfuscation, the researchers used a prompt directive steering technique, using instructions found outside the “summaryReference” div class to tell the AI to only summarize information found within the summaryReference class.

This directive further ensures only the ClickFix prompt makes it into the AI summary, rather than any other benign page content that is visible to the user.

CloudSEK said it was able to consistently fool AI summarizers into delivering the ClickFix instructions, including when testing against the Sider.ai browser extension and a custom-built browser extension for AI summaries.

However, the success rate was not 100%, with summaries of the benign page content sometimes being included in the AI output, weakening the attack.

ClickFix is an increasingly popular social-engineering technique, with ClickFix-related links increasing by nearly 400% between May 2024 and May 2025, according to a recent Proofpoint report

Combined with AI, the technique could become more widespread and effective due to an increased sense of trust users have for their AI tools compared with content found on unfamiliar sites, CloudSEK said.

Such attacks could potentially be thwarted by sanitizing content prior to summarization, by removing text designed to be invisible to the user from the AI’s context, neutralizing CSS obfuscation techniques, for example.

AI tools could also be trained to recognize prompt overdose attempts, like repeated suspicious phrases, and ClickFix-like payloads, such as Base64-encoded commands.