In 2025, security researchers at Ben-Gurion University demonstrated that Google Calendar invites could be weaponized for indirect prompt injection against AI assistants like Google Gemini. The research, titled "Invitation Is All You Need," was presented at DEF CON 33.
The attack works because AI assistants automatically process calendar event content (titles, descriptions) when summarizing a user's schedule. An attacker creates a calendar invite with a hidden prompt injection in the event title or description. When the victim asks their AI assistant to summarize their calendar, the AI ingests the injected content alongside legitimate calendar data in the same context window — executing the attacker's instructions.
Calendar invites are inherently untrusted user-generated content. Anyone who can share a calendar with a victim can inject arbitrary text into event fields. But AI assistants treat processed calendar data as trusted context, creating a prompt injection surface:
Calendar invites occupy a unique trust boundary. They're externally generated content (anyone can send an invite) but are processed by AI assistants as if they were first-party data. This is the same class of vulnerability as indirect prompt injection via email (CVE-2025-32711 "EchoLeak" in Microsoft 365 Copilot) and chat messages (PromptArmor's Slack AI disclosure).
The root cause is always the same: AI assistants blend untrusted external content with trusted system instructions in the same context window, without isolation or sanitization boundaries.
In this Doogle Calendars lab, you replicate the attack in a safe, simulated environment. You play an employee with access to "My Calendar" but not the private "Executive Calendar." Create events with hidden prompt injections, then ask Doogle AI to summarize your schedule. Progress through 5 difficulty levels, each with stronger defenses.
No real accounts or data are involved. This is a training simulation for educational purposes only.
This lab is inspired by real security research but uses entirely simulated systems. "Doogle Calendars" and "Doogle AI" are fictional knockoff brands created for training purposes. All calendar events, API keys, and flags are synthetic.