Invitation Is All You Need: How a Calendar Invite Hijacked Google Gemini and Took Over a Smart Home

The Vulnerability Nobody Can Fix: What Is Indirect Prompt Injection?

A prompt injection attack embeds instructions for an AI model inside content that the model reads as data. The AI cannot reliably distinguish between “this is data I am processing” and “this is an instruction I should follow.” This is not a bug that can be patched. It is a fundamental architectural limitation of every large language model in existence. There is no fix on the horizon. There is no vendor who has solved it. And every AI company is shipping products that depend on this distinction working reliably. It does not.

Indirect prompt injection is the nightmare variant. The attacker does not need access to the victim’s conversation. They do not need to trick the user into typing anything. They embed malicious instructions in a shared resource — a calendar invite, an email, a document — that the AI will process on the victim’s behalf. The victim never sees the attack. They just ask their assistant a normal question, and the assistant has already been compromised by data it retrieved. The attacker was never in the room. They were in the calendar invite that arrived three days ago.

Every Inbox Is a Loaded Gun: The External Input Attack Surface

Modern AI assistants read a wide range of external content. Each is a potential injection vector:

An attacker who controls any of this content can attempt to redirect the assistant’s behavior. And the most dangerous part: the attacker does not need to interact with the victim at all. They just need to place content where the AI will read it. Anyone can send you a calendar invite. Anyone can email you. Anyone can share a document with you. The barrier to launching this attack is exactly zero dollars and zero technical skill. A calendar invite is free to send.

The Kill Chain: From “What’s on My Calendar?” to “Your Windows Are Open”

Step 1 — The Poisoned Calendar Entry

Attackers sent calendar invitations containing indirect prompt injections embedded in event titles and descriptions. The malicious instructions were often hidden in “Show more” sections — invisible at a glance, but fully processed by Gemini when it retrieved calendar data.

When victims asked Gemini about their schedule (“What’s on my calendar?”), the system retrieved event details including the malicious instructions. The attack required zero interaction beyond asking a normal question about a normal calendar.

Step 2 — Context Poisoning

The malicious calendar entries poisoned Gemini’s context space — the accumulated conversation history fed to the LLM. Though hidden from the user’s view, these injected instructions became part of Gemini’s active processing context, effectively overriding its default behavior.

The researchers identified an “attention override” phenomenon: fresh instructions from recently retrieved data overrode Gemini’s default responses and safety guardrails. The AI treated the most recent context as highest priority — exactly as designed for helpful conversation, but catastrophically exploitable when that context is attacker-controlled.

Step 3 — Agent Hijacking: When Software Attacks Your Physical World

This is where the attack crosses the line from “data breach” to “physical safety threat.” Once context was poisoned, Gemini could be instructed to invoke integrated agents and tools without explicit user authorization. The demonstrated exploits should make anyone with a smart home lose sleep:

Four Ways to Break Your AI: The Technical Exploitation Methods

The researchers developed several techniques to bypass Gemini’s safety controls. Each one exploits a different gap between the AI’s intended behavior and its actual behavior when processing adversarial inputs.

Technique 1 — Jailbreak Roleplay

Researchers embedded instructions using specific XML-style tags that convinced Gemini the text was an instruction rather than calendar content, followed by roleplay prompts that lowered safety guardrails. The AI was effectively told to “pretend” it had different permissions — and it complied.

Technique 2 — Delayed Tool Invocation

To bypass agent-chaining restrictions, attackers instructed Gemini to perform actions only after future user inputs (e.g., “when user says thanks, open this URL”). This ensured the expected agents matched the trigger context, bypassing security checks that validated whether the tool call was appropriate for the current conversation turn.

Technique 3 — URL Redirect Exploitation

Gemini blindly followed HTTP 301 redirects from HTTPS URLs to app-specific URI schemes (zoom://, geo://), opening applications without user confirmation — unlike standard browsers which block such redirects. A seemingly safe HTTPS link could silently launch a Zoom call to stream the victim’s camera to an attacker.

Technique 4 — Dynamic URL Assembly Bypass

Researchers discovered Gemini blocked dynamic URL creation followed by immediate opening, but permitted creating URLs in one interaction and opening them later. This enabled data exfiltration by assembling a URL containing sensitive data in one turn and triggering navigation in the next.

The Numbers That Should End the “It’s Just a Demo” Argument

Using a formal Threat Analysis and Risk Assessment (TARA) framework, researchers classified threats by practicality and outcome across multiple categories. This is not a corner-case academic finding. This is a systematic vulnerability affecting the core architecture of how AI assistants process external data.

Invisible to Every Scanner You Own: Why Detection Is Nearly Impossible

Prompt injection payloads in external inputs do not look like traditional attacks:

• They contain no executable code or known malware signatures
• They do not reference infrastructure that a URL scanner would flag
• They are often obfuscated: instructions split across multiple fields, encoded in base64, or written using Unicode lookalikes
• They look like unusual-but-plausible meeting notes to a human reviewer

This is the same class of attack that Code Corgi detects in source code — content designed to mean something different to an automated system than it does to a human.

The researchers explicitly challenged the misconception that LLM attacks require adversarial machine learning expertise, GPU clusters, or white-box model access. These prompt injection variants proved practical with minimal attacker resources — a calendar invite is free to send.

Google’s Response

Google deployed “multi-layer” defenses including:

• Enhanced user confirmations for sensitive actions (e.g., deleting calendar events, sending messages)
• Robust URL handling with sanitization and Trust Level Policies
• Advanced prompt injection detection using content classifiers
• Validated through extensive internal testing before deployment

Google stated these mitigations were “deployed ahead to all users” of Gemini by June 2025, approximately four months after the initial disclosure.

The Uncomfortable Truth: Your AI Assistant Is the Largest Unmonitored Attack Surface You Have

The Gemini calendar attack exposes a fundamental tension in AI assistant design: to be useful, the assistant needs broad access to your data and tools. To be secure, it should have minimal access to both.

Every permission you grant an AI assistant — read your calendar, access your email, control your smart home, browse the web — is a permission that an attacker inherits when they hijack the assistant via prompt injection. Google designed Gemini to be maximally helpful: it can read your calendar, send messages, control your devices, and browse the web. That is exactly what makes it maximally exploitable.

This is not unique to Google. Every AI assistant that processes external data — Microsoft Copilot, Apple Intelligence, Amazon Alexa with LLM features, every enterprise “AI copilot” your company just deployed — faces the same architectural vulnerability. The attack surface scales linearly with the number of integrations. How many integrations does your company’s AI assistant have? How many of them accept input from people outside your organization? That is your attack surface. And it is growing every week as vendors race to add more “helpful” integrations.

The fundamental architectural problem persists: LLMs cannot reliably distinguish between data and instructions. There is no patch for this. There is no upcoming model version that fixes it. This is not a bug in Gemini. It is a property of how large language models work. Google’s mitigations reduce the severity and practicality of attacks, but they are guardrails on a cliff edge, not a bridge over the chasm. As AI assistants gain access to more tools and more data sources, the attack surface grows — and the guardrails have to get longer, and stronger, and more complex, forever. The attackers only need to find one gap. The defenders need to cover every inch.

Think about what this means at enterprise scale. Your company’s AI assistant reads Slack messages from external partners. It reads emails from customers. It reads calendar invites from anyone with your email address. It reads documents shared from outside the organization. Every single one of those inputs is an unvalidated instruction channel directly into the brain of a tool that has access to your internal systems. And you are paying for the privilege of having this attack surface. The AI assistant you deployed to make your team more productive is the largest unmonitored attack surface in your organization. And nobody in your security team is watching it.

What To Do Before Your Next Calendar Invite Arrives