The agenda you betray: so you infiltrate instructions in Calendar to expose data in Google Gemini

A team of researchers has shown how, with nothing but instructions in natural language within a Google Calendar invitation, Gemini - the assistant based on the great Google language model - can be fooled to reveal private information and leave it written on an accessible date for an attacker. The finding underlines that, although the detection systems based on auxiliary rules and models exist, the ability to reasoning and the automatic ingestion of data by LLM attendees add new and difficult to predict attack surfaces.

The experiment, described by those responsible in a technical report, takes advantage of the way Gemini processes the details of events when a user asks him about his schedule. If an attacker can send an invitation whose description contains instructions formulated in natural language - for example, ask that all one-day meetings be summarized, that private information be included and that this summary be copied in a new event -, Gemini can come to execute those instructions as if they were a legitimate user's request. The result: sensitive data are written in the description of a new event that, in many business settings, is visible for participants and possibly for the attacker.

The researchers explain that the key to success was not a traditional technical explosion but semantic manipulation. Taking advantage that Gemini automatically links and processes Calendar information to provide proactive help, it is enough to introduce an apparently inoculated "instruction" into an event field so that, when the user invokes the wizard, the wizard will load and interpret that text along with the rest of the context. This interpretation can lead to actions that exfilter information without the user warning it.

This attack vector falls into what is known as prompt injection: instead of violating infrastructure, the attacker inserts commands into text entries that the model treats as legitimate instructions. The authors of the report noted that, although Google applies an additional layer of detection with isolated models to filter dangerous instructions, the maneuver avoided these defenses because the orders in the description seemed, in appearance, safe and consistent with the function of assistant.

The case is not entirely new in its concept - other teams have previously shown how calendars and metadata can be used to manipulate assistants - but this work shows that the nuances of language and intention make it very difficult to maintain a perfect barrier. In addition, the researchers reported their findings to the Google team; the company introduced mitigation to block the patterns used by the experiment, although the authors insist that the solution is not trivial and that safety should evolve beyond mere syntactic validation.

For those who manage corporate environments, practical involvement is clear: the integrations that allow language models to access calendars, mail and other data should be applied with strict access policies, field modification controls by external relays and reduced visibility by default. Allowing attendees to act with extensive permits on collaborative elements without contextual and intent controls is a risk that can be realized with little effort.

The authors of the report propose that the detection move from identifying dangerous text patterns to being aware of the context: who created the content?, what is the relationship between the sender and the participants?, does it make sense for an assistant to rewrite a field visible to third parties with confidential information? That is, the ideal defense should combine semantic analysis with business rules and telemetry on permissions and origins.

It is also important to remember that technical mitigation does not require policies and training. In many organizations the most immediate way to reduce risk is to limit who can create or modify events that affect critical teams, review default permits in shared calendars and educate people to distrust from unexpected invitations, even if they come from known contacts whose mail may have been compromised.

The report and subsequent coverage have aroused interest in the security community because they illustrate a wider point: when APIs and interfaces are designed to accept human instructions as native entry, the border between what is "data" and what is "command" becomes blurred. This ambiguity amplifies the need for integrity controls on each layer of the data flow.

For those who want to read the original technical analysis, the details are available in the publication of the research team itself at Miggo Security: Weapons Calendar Invites: a semantic attack on Google Gemini. The piece was also cited in specialized press reports and analysis that examine how LLM attendees integrate with productivity tools and what safety implications that brings.

Google, for its part, has been incorporating controls and reviews in Gemini's integrations with Workspace and other services; its commitment to attendees acting on calendars and emails requires a delicate balance between utility and data protection. For context on the product and its integration, it is appropriate to review Google's official information about Gemini and its capabilities: Introducing Gemini - Google AI blog. Public and technical discussion will continue to be necessary because the attack surface will evolve along with the functionalities.

In short, the incident is a call for attention: attendees capable of reasoning and acting on personal and corporate data are powerful tools, but its usefulness is accompanied by new risk vectors. Security in this era must combine smarter technical controls, more conservative access policies and a greater awareness of how language itself can become a way of exploitation.