ARCANUM Training Lab ← Back to Doogle Calendars

Doogle Calendars — Historical Context

What Happened

In 2025, security researchers at Ben-Gurion University demonstrated that Google Calendar invites could be weaponized for indirect prompt injection against AI assistants like Google Gemini. The research, titled "Invitation Is All You Need," was presented at DEF CON 33.

The attack works because AI assistants automatically process calendar event content (titles, descriptions) when summarizing a user's schedule. An attacker creates a calendar invite with a hidden prompt injection in the event title or description. When the victim asks their AI assistant to summarize their calendar, the AI ingests the injected content alongside legitimate calendar data in the same context window — executing the attacker's instructions.

The Attack

Calendar invites are inherently untrusted user-generated content. Anyone who can share a calendar with a victim can inject arbitrary text into event fields. But AI assistants treat processed calendar data as trusted context, creating a prompt injection surface:

Demonstrated Impacts

Real-World Timeline

2025 — DEF CON 33
"Invitation Is All You Need"
Ben Nassi, Stav Cohen, and Or Yair (Ben-Gurion University) demonstrate indirect prompt injection via Google Calendar invites against Gemini AI. Full research at sites.google.com/view/invitation-is-all-you-need
January 2026 — Miggo Security
Weaponizing Calendar Invites
Miggo Security publishes follow-up research on weaponizing calendar event descriptions for semantic attacks on Google Gemini. miggo.io/post/weaponizing-calendar-invites
January 2026 — Malwarebytes
Media Coverage
Malwarebytes covers the calendar invite attack vector, highlighting risks to Gmail and Google Workspace users. malwarebytes.com/blog/news/2026/01

Why It Matters

Calendar invites occupy a unique trust boundary. They're externally generated content (anyone can send an invite) but are processed by AI assistants as if they were first-party data. This is the same class of vulnerability as indirect prompt injection via email (CVE-2025-32711 "EchoLeak" in Microsoft 365 Copilot) and chat messages (PromptArmor's Slack AI disclosure).

The root cause is always the same: AI assistants blend untrusted external content with trusted system instructions in the same context window, without isolation or sanitization boundaries.

Defenses

This Lab

In this Doogle Calendars lab, you replicate the attack in a safe, simulated environment. You play an employee with access to "My Calendar" but not the private "Executive Calendar." Create events with hidden prompt injections, then ask Doogle AI to summarize your schedule. Progress through 5 difficulty levels, each with stronger defenses.

No real accounts or data are involved. This is a training simulation for educational purposes only.

This lab is inspired by real security research but uses entirely simulated systems. "Doogle Calendars" and "Doogle AI" are fictional knockoff brands created for training purposes. All calendar events, API keys, and flags are synthetic.