A Google Calendar invite. That’s all it took.
Researchers from SafeBreach Labs have shown that an LLM-powered assistant like Google’s Gemini can be tricked into running malicious commands, accessing sensitive data, and even manipulating physical devices in a victim’s home, without a single click.
Their work introduces a new variant of Promptware, called Targeted Promptware Attacks. The concept is simple. An attacker embeds a malicious instruction inside a calendar event title or email subject line. When Gemini retrieves that data, for instance, when a user asks “What’s on my calendar?”, the hidden instruction slips into the model’s context and is treated as if the user had asked for it.
From there, the attack can cascade.
The New Face of Promptware
Promptware is malicious input (text, images, or audio) designed to exploit an LLM at inference time. Traditionally, such attacks were seen as impractical, requiring deep knowledge of a target model. This research challenges that view.
With Gemini, the team showed how an indirect prompt injection could trigger:
- Sending spam or phishing messages
- Generating toxic content
- Deleting calendar events
- Controlling connected devices like lights or windows
- Tracking a victim’s location
- Starting a Zoom video stream
- Exfiltrating emails and other sensitive data
The scope goes beyond digital damage. By abusing Gemini’s integration with Google Workspace and Android utilities, the attack can bridge into the physical world.
The Exploit in Action
The team tested Gemini’s three main interfaces: the web version, the mobile app, and the voice assistant on Android. The Calendar invite became the delivery vehicle for their attack.
A malicious event name, hidden among legitimate entries, poisoned the assistant’s context. Gemini, seeing it as part of the user’s own request history, executed the embedded instructions.
In demonstrations, the researchers forced Gemini to open malicious websites (revealing the victim’s IP address), control smart home devices, or even force the user into a Zoom meeting, all from a single indirect injection.
One technique, called Delayed Tool Invocation, used Gemini’s “Show more” button in Calendar. Even if the victim didn’t expand the view, those hidden events still entered the assistant’s context. This allowed instructions to be triggered later, for example, when the victim simply said “Thanks.”
Why It Works
LLMs like Gemini don’t understand “malice” in the way humans do. They follow instructions in context, assuming they come from the user. If the poisoned instruction is buried inside trusted data (think a calendar event or email) the assistant has no reason to reject it.
This is what makes Targeted Promptware dangerous. It hijacks not just a chatbot, but the trusted voice of a system the user relies on. A phishing link from Gemini doesn’t look like a scam. It looks like your assistant helping you out.
The Bigger Risk
Using their Threat Analysis and Risk Assessment (TARA) framework, the researchers found that 73% of the Promptware threats they identified were High-Critical. Many could be executed with minimal attacker expertise or resources.
Promptware also enables lateral movement. The attack can jump between Gemini’s own agents, and then escape to other apps and devices, a leap traditional malware can’t always manage.
The researchers believe new variants are coming, including “0-click” attacks that don’t require user interaction and broadcast-style attacks targeting mass audiences.
Google’s Response
The team disclosed their findings to Google in February 2025. By June, Google had deployed new defenses, including:
- Enhanced user confirmations for sensitive actions
- Stricter URL handling and sanitization
- Content classifiers to detect prompt injection
Google called the research “valuable” and said it accelerated mitigation efforts.
What It Means for the Industry
Promptware isn’t theoretical anymore. It’s practical, effective, and as this research shows, alarmingly easy to deliver. Any LLM-powered assistant that integrates with personal data or device controls is at risk.
For security teams, the message is clear: treat Promptware as a first-class threat. Conduct formal risk assessments. Deploy mitigations now. And assume the attack surface has already shifted from memory exploits to LLM context manipulation.
A calendar invite shouldn’t be able to open your windows or stream from your camera. But until the industry takes this class of attack seriously, it can.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.