Paper.

You used to believe that adversarial attacks against AI-powered systems are complex, impractical, and too academic. In reality, an indirect prompt injection in a Google invitation is all you need to exploit Gemini for Workspace's agentic architecture to trigger the following outcomes:

• Toxic content generation
• Spamming
• Deleting events from the user's calendar
• Opening the windows in a victim's apartment
• Activating the boiler in a victim's apartment
• Turning the light off in a victim's apartment
• Video streaming a user via Zoom
• Exfiltrating a user's emails via the browser
• Geolocating the user via the browser