Indirect Prompt InjectionHigh

Promptware attacks against Google Gemini (Invitation Is All You Need)

August 2025  ·  Google Gemini / Workspace

What happened

Researchers embedded malicious instructions in emails, calendar invitations, and shared documents. When Gemini processed the poisoned content it could exfiltrate email data and even trigger real-world actions through Google Home, such as opening windows or controlling smart devices.

Root cause

Gemini treated attacker-controlled content inside emails, invites, and docs as trusted instructions, with no isolation between untrusted data and the agent context.

Fix / outcome

Google deployed a multi-layer prompt-injection mitigation and credited the research through its AI VRP.

Sources

SafeBreach writeup

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database