Zero-Click Hijack via Calendar Invites — The New Prompt Injection Attack Surface

A developer accepts a calendar invite. Does nothing else. Within the hour, their AI browser agent has read local config files, extracted API keys, and sent them to a remote server.

No malware. No suspicious attachment. No macro. Just an accepted meeting.

This is an indirect prompt injection attack via calendar invite. Zero deliberate user interaction required. This article covers the Zenity Labs PleaseFix / PerplexedBrowser research, CVE-2026-26144 in Microsoft Excel/Copilot, the EchoLeak predecessor from June 2025, and what detection and response currently look like.

Part of a broader agentic browser security guide. For the conceptual framing, see why execution environments make these attacks structurally novel. For the full agentic browser threat taxonomy, see the companion article.

What is indirect prompt injection — and why does it matter more when an AI agent is involved?

Indirect prompt injection (IPI) is when malicious instructions get embedded in third-party content — emails, documents, calendar invites, web pages — that an AI agent processes as part of its normal work. The agent then executes the attacker’s commands as if they were legitimate user instructions.

This is different from direct prompt injection (jailbreaking), which targets the model through the user interface. IPI arrives through content the agent retrieves. NIST has described it as “generative AI’s greatest security flaw”, and OWASP’s 2025 Top-10 ranks it the #1 threat to LLM applications.

The root cause is a trust boundary failure. An AI agent doesn’t reliably distinguish between authoritative instructions and data it’s processing. Any content it reads is potentially instructable. That was manageable when AI systems only answered questions. It stops being manageable when the agent can browse, click, read files, and submit forms. OpenAI stated in December 2025 that prompt injection in agentic browsers is “unlikely to ever be fully solved.”

What makes a zero-click attack categorically different from other prompt injection attacks?

A zero-click attack executes without any deliberate user action. Accepting a calendar invite, opening an email, performing a routine search — any of these is sufficient. Zero-click data loss is no longer hypothetical. The user doesn’t have to fall for anything.

Standard security awareness training has no purchase here. There’s nothing suspicious to avoid. The attack surface is the agent’s content processing pipeline, not the user’s judgement. Traditional phishing requires a click. Standard prompt injection requires visiting a compromised surface. Zero-click IPI executes automatically when the agent processes the accepted invite.

Agent hijacking is the high-severity variant — persistent influence over an agent that lasts across sessions and compounds over time. For the broader context, see the full agentic browser threat taxonomy.

How does the Zenity Labs calendar-invite hijack actually work — step by step?

Zenity Labs identified the PleaseFix vulnerability family in Perplexity’s Comet agentic browser. The findings: insufficient isolation between user commands and untrusted input, ungated filesystem access, and no requirement for explicit user approval before file reads. Patched prior to public disclosure.

Here’s how the attack chain works:

1. The attacker crafts a calendar invite with hidden HTML elements and embedded prompt instructions. They mimic Comet’s internal system prompt formatting, including a “system_reminder” structure. Non-English instructions reportedly bypass guardrails more effectively.

2. The victim accepts the invite. Nothing else required.

3. Comet processes the invite and encounters both the user’s task context and the attacker’s instructions simultaneously.

4. Intent collision — Zenity Labs’ term for when the agent merges the user’s legitimate task with the attacker’s injected instruction. The malicious actions appear to be part of what the user requested.

5. The agent navigates to an attacker-controlled site for further instructions, potentially obfuscated to evade content filters.

6. The agent uses file:// URLs to browse the local filesystem — config files, API keys, locally stored secrets.

7. Data is exfiltrated to the attacker’s server. If 1Password is unlocked in Comet, stored credentials go with it.

The entire attack completes in under a minute. The user’s workflow looks normal throughout.

What is CVE-2026-26144 and what does it reveal about the Microsoft Copilot risk?

CVE-2026-26144 is a critical-severity information disclosure vulnerability in Microsoft Excel — a cross-site scripting flaw that causes Copilot Agent mode to exfiltrate data via unintended network egress. CVSS 9.3.

The severity comes from Copilot Agent mode. It transforms Copilot from an assistant into an agent capable of acting across Microsoft 365. A passive XSS becomes an active exfiltration attack when a permissioned agent is sitting in front of it.

The trigger: a single email with a malicious Excel attachment. No macros, no suspicious link, no unusual action required. Patched March 10, 2026.

Alex Vovk (Action1 CEO) put it simply: “If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts.” If Copilot Agent mode is enabled in your M365 environment and the March patch hasn’t been applied, every user who opens a malicious Excel attachment is exposed.

What is EchoLeak and why does it matter that CVE-2026-26144 is not the first Microsoft Copilot zero-click vulnerability?

CVE-2026-26144 is not an isolated flaw. The EchoLeak case from nine months earlier makes that clear.

EchoLeak (CVE-2025-32711) was published June 11, 2025. A malicious email caused Microsoft 365 Copilot to access internal files and transmit them to an attacker-controlled server without user interaction, bypassing Microsoft’s XPIA classifier, link redaction, and content security policy rules.

The timeline: EchoLeak (June 2025) → Zenity Labs PleaseFix (patched February 2026) → CVE-2026-26144 (patched March 10, 2026). Two near-identical CVEs in Microsoft Copilot products within nine months. That’s a pattern in the architecture, not a one-off.

Concentric AI’s research adds important context: organisations average 802,000 files at risk from oversharing — that’s the environment these vulnerabilities operate in. And Cymulate Research Labs documented zero-click RCE chains in Cursor CLI, AWS Kiro, Codex Desktop App, and Gemini CLI, confirming this attack class extends to development tools across platforms.

Why do agentic browsers make these attacks structurally novel — and what does that mean for patching?

A traditional browser renders content. An agentic browser reads content and acts on it. That’s the whole difference.

Hidden instructions in a web page are ignored by Chrome. Those same instructions become executable commands in Comet or Copilot Agent. An agentic browser is an execution environment with access to files, credentials, and enterprise systems — acting at the user’s level of permission. Blast radius scales with permissions: a token granting access to email, calendar, cloud storage, and CRM gives an attacker access to all of those. Connector abuse is the new shared resource risk.

OpenAI’s December 2025 statement sets the expectation: prompt injection in agentic browsers is “unlikely to ever be fully solved” because blending trusted and untrusted inputs in the same context window is architectural. The patches for CVE-2026-26144 and PleaseFix close specific vulnerabilities — a new agentic feature can re-expose the same underlying problem. More on this in why execution environments make these attacks structurally novel.

What can your security team actually do — and what are the limits of current detection?

Intent collision is the detection problem: the agent’s execution plan looks coherent because it’s blended with legitimate task context. Comet raised internal safety warnings during the PleaseFix attack — and the data left the machine anyway. Detection alone is not enough.

On the vendor side: Microsoft Prompt Shields is a probabilistic classifier that catches known injection techniques but misses obfuscated payloads. Spotlighting isolates external content within prompts — reduces but doesn’t eliminate IPI risk. Plan drift detection requires vendor implementation. Microsoft’s recommended posture: assume IPI is inevitable and design to contain it.

Here’s what your team can act on today:

1. Audit OAuth scopes held by AI tools (Google Workspace, M365, Slack). Reduce to minimum required.
2. Verify the CVE-2026-26144 patch has been applied (Patch Tuesday, March 2026).
3. Review which agents have file:// URL access or local filesystem permissions. Restrict where possible.
4. If Copilot Agent mode is enabled in M365, restrict outbound network traffic from Office applications.
5. Establish baseline monitoring for unusual file access patterns from AI agent sessions.

Flag the compliance angle to legal. Under HIPAA’s audit controls requirement, browser agents spanning multiple systems without unified logging create immediate violations. GDPR Article 22 adds risk around autonomous data access decisions. A successful IPI attack that exfiltrates customer PII triggers mandatory breach notification.

For the enterprise defence platform response, see the companion article on how Prisma Browser blocks toxic prompts. For a broader view of the agentic browser threat landscape — including governance frameworks and vendor options — see our complete agentic browser security and governance guide.

Frequently Asked Questions

Is the Zenity Labs calendar-invite attack (PleaseFix / PerplexedBrowser) patched?

Yes — patched February 2026 following Zenity Labs’ disclosure to Perplexity. Testing on February 13, 2026 confirmed the remediation. Patching the specific implementation does not close the underlying architectural class though. Any agentic browser that processes calendar invites as instructable content is potentially exposed to the same technique.

Does this attack affect Google Calendar as well as Outlook?

The specific CVE-2026-26144 is an Outlook/Excel/Copilot chain. The Zenity Labs PleaseFix research exploited a Google Calendar invitation processed by Perplexity Comet. The attack class is calendar-platform-agnostic — the question is whether the AI agent processing calendar data will act on embedded instructions.

How is this different from a standard phishing attack?

Phishing requires a deliberate action — a click, an attachment, entering credentials. Zero-click IPI via calendar invite requires only accepting a meeting. Normal workplace behaviour with no visible warning signs. Standard phishing awareness training does not protect against this.

What is the difference between a zero-click attack and a traditional prompt injection attack?

Traditional prompt injection requires user interaction with a compromised surface. Zero-click attacks eliminate that requirement. The trigger is passive processing of legitimate-looking content. The victim’s behaviour is entirely normal.

What is CVE-2025-32711 (EchoLeak) and how does it relate to CVE-2026-26144?

EchoLeak (CVE-2025-32711): a malicious email caused M365 Copilot to exfiltrate internal files without user interaction (CVE published June 2025). CVE-2026-26144 (patched March 2026): a malicious Excel spreadsheet triggered Copilot Agent to exfiltrate data. Both are zero-click IPI vulnerabilities in Microsoft Copilot products, nine months apart. A recurring vulnerability class, not an isolated flaw.

What is intent collision and why does it make these attacks hard to detect?

Intent collision is Zenity Labs’ term for when the agent merges the user’s legitimate request and the attacker’s hidden instruction into a single execution plan. The resulting behaviour looks plausible because it’s blended with real task context. Content filters see a coherent plan, not an injection signal.

Can this attack work if I am not using Perplexity Comet or Microsoft Copilot?

Any AI agent that processes calendar invites, emails, or documents as instructable content and has permissions to access files or the network is potentially exposed. Cymulate documented zero-click RCE chains in Cursor CLI, AWS Kiro, Codex Desktop App, and Gemini CLI. The attack class follows wherever AI agents process external content and act on it.

What is the practical blast radius of a successful calendar-invite hijack?

Blast radius is bounded by the OAuth scopes and filesystem permissions the agent holds. The Zenity Labs demonstration accessed local config files, API keys, and stored credentials if 1Password was unlocked. In an enterprise context with OAuth access to email, calendar, cloud storage, and CRM, the scope is substantially larger. Concentric AI found up to 802,000 files per organisation at risk from Copilot overpermission alone.

Does applying the CVE-2026-26144 patch fully protect Microsoft 365 users?

The March 2026 patch closes the specific Excel/Copilot Agent vulnerability. It does not protect against new IPI variants in other M365 applications or future Copilot Agent capabilities. OpenAI has stated prompt injection in agentic browsers is “unlikely to ever be fully solved” — the patch addresses the implementation, not the architectural class. Patch immediately, then audit all agentic AI permissions and network egress controls.

What should I tell my board about this risk?

Frame it as an access control problem with a new vector: AI agents hold enterprise permissions and can be instructed to misuse them by content they process — not by someone who has compromised your systems. Two near-identical CVEs in Microsoft Copilot products within nine months (EchoLeak: June 2025, CVE-2026-26144: March 2026) confirm this is a recurring class. The action items are concrete: OAuth scope audit, Copilot Agent mode review, patch verification.

Is there a way to use agentic browsers safely in the enterprise?

Current best practice is defence-in-depth: minimum-privilege OAuth scopes, restricted filesystem access, outbound network traffic controls from AI agent processes, verified patch status, and plan drift monitoring where the vendor offers it. No single control eliminates the risk. The practical question is whether the productivity benefit of a specific agentic capability justifies the access it requires — and whether that access has been explicitly audited.

This article is part of our series on agentic browser security. For the full picture on AI browser agent risks — attack taxonomy, enterprise defence options, governance frameworks, and vendor comparisons — see the AI browser agents complete security and governance guide.