Calendar invites and ChatGPT’s Gmail integration: the attack pattern
On September 12, 2025, security researcher Eito Miyamura demonstrated an exploit that, arguably, is the first but definitely not the last one of its kind: a malicious Google Calendar injects prompts into ChatGPT, which, when connected to Gmail, leaks private emails in response. Yes, there are specific prerequisites — you have to establish the connection between the AI and Gmail, and use Google Calendar so intensively that an unknown invite can make its way into it — but such patterns tend to evolve in a way as to expand the coverage of the attack, so it’s best to know what exactly is happening and how you can protect yourself. Read on for both accounts.
Malicious Google Calendar invites: what’s under the hood
The weapon here is called “indirect prompt injections.” They exploit AI’s thoroughness by inserting malicious instructions in the external data processed by the model, including websites, emails, calendar invites, or documents. In the case of Google Calendar invites and ChatGPT integration with Gmail, the AI took the invite, as it was supposed to, and was tricked into giving up emails (once connected, it has access to a lot of stuff) by commands hidden in those invites.
The term “prompt injection” was coined by Simon Willison in 2022; the researcher described how malicious actors could give instructions to AIs in much the same way as SQL injections. “Indirect prompt injections,” as the name suggests, have those commands hidden under a layer of safe-looking material. The term itself is credited to Kai Greshake and the NVIDIA team, who formalized the attack pattern and described defense strategies against it in 2025.
How to protect yourself against attacks involving indirect prompt injections?
There is no use in trying to abstain from using artificial intelligence entirely: today, you may be able to achieve the desired isolation, but tomorrow large language models will be integrated into services on the side of the provider, and there will simply be no way for you to disconnect them from your accounts. Moreover, you won’t even know the connection is there. So, what can you do to fence your assets?
- Vigilance. First and foremost, you have to stay vigilant and never let anything suspicious into your calendar or other system that leans on AI for this or that purpose.
- Order. Keep things tidy. If you don’t really need ChatGPT to help you with emails, disable it. You may have tried the feature, liked it even, but if there’s no real-life use case for it — do not hesitate, and do not put it on the back burner.
- Limits. Even today AI integrations can be customized to give you more control over what the model works with and under what conditions it can access the data. Consider disabling all automatic routines. Yes, it’ll add manual approvals to your menu, but it’s safer this way.
- Existing safeguards. In Google Calendar, for example, you can set things up in a way that allows invites from known senders only. This is a safeguard; use such whenever possible.
OpenAI acknowledged the problem and suggested disabling connectors. The company is working on defenses against such attacks, but it’s a shield-and-sword race, so it makes sense to get a forward-looking security suite. Find one here:
