New Promptware Attack Hijacks User’s Gemini AI Via Google Calendar Invite

Cybersecurity researchers at SafeBreach Labs have uncovered a new kind of cyberattack that starts with something as ordinary as a Google Calendar invitation. According to the team, this method can be used to hijack a person’s Google Gemini AI agent, giving attackers the ability to spy on them, steal personal data, and even take control of smart home devices remotely.

The research, titled “Invitation Is All You Need,” was carried out by Ben Nassi, Stav Cohen, and Or Yair. In an interview with Hackread.com, SafeBreach Labs explained that the attack relies on a new kind of threat known as Promptware. This technique manipulates an AI model by inserting carefully composed text, or prompts, that trick it into carrying out harmful actions.

The SafeBreach team developed a more advanced version of the attack, which they’ve named a Targeted Promptware attack. They demonstrated how it works specifically on Gemini for Workspace. By sending a malicious Google Calendar invitation, they were able to hijack a user’s Gemini agent, all without the person ever realising it.

This technique is known as an “indirect prompt injection” because the malicious instructions are hidden in something the AI reads on its own, like an event title, instead of being entered directly by the user.

To show just how serious the vulnerability is, the researchers used a range of techniques, including context poisoning and automatic tool invocation, to exploit Gemini. Their tests demonstrated how far the attack could go once the AI agent was compromised.

After taking control of the Gemini agent, they were able to carry out a wide range of malicious actions, including

• Steal private emails
• Figure out a person’s location
• Send spam and phishing emails
• Delete a person’s calendar events
• Generate harmful and toxic content
• Turn on a person’s video camera through Zoom

What’s even more concerning is that the attack doesn’t stop online. The researchers showed that a compromised AI assistant could also take control of apps on a person’s smartphone, including those linked to smart home devices.

The researchers also found that an attacker could remotely control things like connected windows, boilers, and lights. This confirmed that Promptware attacks can go beyond Gemini itself and lead to real-world physical impact.

The researchers reported their findings to Google in February 2025. In response, Google rolled out new protections, including stronger security around sensitive actions and better systems to detect prompt injection attacks.

SafeBreach Labs estimates that 73% of these threats fall under the “High-Critical risk” category and warns that other AI-powered tools could be at risk too. The full research will be presented at Black Hat USA and DEF CON 33.

Meanwhile, it’s highly recommended to check out SafeBreach’s technical blog post and the seven demo videos the company shared.