Google has confirmed a Gmail warning regarding a new AI-driven attack capable of compromising Gmail accounts, exploiting prompt injection techniques hidden within emails, messages, websites, attachments, and calendar invitations.
The vulnerability was highlighted by Eito Miyamura, who demonstrated on X how ChatGPT could be manipulated to leak a victim’s private email data using only their email address. According to Miyamura, “AI agents like ChatGPT follow your commands, not your common sense,” emphasizing the potential for data exfiltration.
Google had previously cautioned about this type of threat in June, characterizing it as a “new wave of threats” aimed at manipulating AI systems. These threats involve malicious instructions embedded in emails, documents, or calendar invites that compel AI to extract user data or perform unauthorized actions.
The demonstrated attack is a proof-of-concept, initiating with a malicious calendar invite that doesn’t require acceptance from the victim. When ChatGPT is instructed to prepare the user for their day by reviewing their calendar, the AI assistant is “hijacked by the attacker and will act on the attacker’s command, searching your private emails and sending the data to the attacker’s email,” according to reports.
To mitigate this risk, Google advises users to enable the “known senders” setting in Google Calendar. This measure helps prevent malicious or spam events from automatically appearing on the calendar grid. Google states, “We’ve found this to be a particularly effective approach to helping users prevent malicious or spam events appearing on their calendar grid. The specific calendar invite would not have landed automatically unless the user has had prior interactions with the bad actor or changed the default settings.”
Google also emphasizes the importance of securing AI models against such attacks. The company claims that “Our model training with adversarial data significantly enhanced our defenses against indirect prompt injection attacks in Gemini 2.5 models,” although this specific attack did not involve Gemini.
Furthermore, Google is implementing filters to detect prompt injection attacks. They are “rolling out proprietary machine learning models that can detect malicious prompts and instructions within various formats, such as emails and files.” These models aim to identify and disregard malicious instructions within emails, generating safe responses for users.
Google highlights that Gmail’s built-in defenses already block more than 99.9% of spam, phishing attempts, and malware. The company cites an example of an email “that includes malicious instructions; our content classifiers help to detect and disregard malicious instructions, then generate a safe response for the user.”
Miyamura cautions that despite the intelligence of AI, it remains vulnerable to manipulation and phishing, potentially leading to data leaks. He warns, “AI might be super smart, but can be tricked and phished in incredibly dumb ways to leak your data.”
Google maintains that this threat “is not specific to Google,” emphasizing the industry-wide importance of developing robust protections against prompt injection attacks.
