“Promptware” Attack Weaponizes Calendar Invites to Trigger Zoom Exploits

Security researchers have uncovered a novel attack technique dubbed “Promptware,” which abuses Google Calendar invites as a delivery mechanism for triggering malicious activity through Zoom camera-related exploits. The technique demonstrates how attackers are increasingly weaponizing trusted productivity platforms to bypass traditional security controls.

Rather than relying on attachments or obvious phishing links, the campaign leverages normal business workflows—calendar scheduling and video conferencing—to initiate compromise.

Abusing Trust in Calendar Invites

The attack begins with a seemingly legitimate Google Calendar invitation sent to a targeted user. Because calendar invites are commonly exchanged in professional environments, they often receive less scrutiny than unsolicited emails with attachments.

Embedded within the invite are carefully crafted elements designed to manipulate how conferencing integrations, particularly Zoom, handle meeting prompts and device permissions.

Triggering Zoom Camera Exploits

Researchers observed that the malicious calendar entry can cause Zoom to automatically process specific parameters when the meeting link is activated. Under vulnerable configurations, this interaction may trigger client-side flaws related to camera handling or local system access.

In certain scenarios, exploitation could allow attackers to execute code or access device resources without the user fully understanding what has occurred.

Why It’s Called “Promptware”

The term “Promptware” reflects the technique’s reliance on user prompts and automated meeting triggers rather than traditional malware delivery. Instead of installing a standalone payload immediately, the attack manipulates trusted prompts and integrations to activate malicious behavior.

This subtle approach makes detection more challenging, as the activity appears to originate from legitimate calendar and conferencing workflows.

Surveillance and Intrusion Risks

If successfully exploited, attackers may gain unauthorized access to cameras, microphones, or local system resources. In high-value environments such as corporate offices, research institutions, or government agencies, this could enable covert surveillance or serve as an initial foothold for deeper network intrusion.

The blending of social engineering with client-side vulnerabilities significantly raises the risk profile of what would otherwise be routine meeting coordination.

Trusted Platforms as Attack Surfaces

The Promptware technique underscores a broader trend: attackers are shifting toward abusing legitimate cloud services and collaboration tools rather than relying solely on malicious infrastructure.

By operating within Google Calendar and Zoom—both widely trusted and heavily used platforms—threat actors can evade reputation-based defenses and reduce suspicion.

Mitigation and Defensive Measures

Organizations are advised to ensure Zoom clients and related integrations are fully updated with the latest security patches. Administrators should review default settings governing automatic meeting launches and device permissions.

Users should also be encouraged to verify unexpected meeting invites, especially those from unknown senders or containing unusual instructions.

A Shift in Social Engineering Tactics

Promptware highlights how the attack surface has expanded beyond email attachments and malicious downloads. Calendar events, collaboration tools, and automated prompts now represent potential vectors for exploitation.

As hybrid work continues to rely heavily on digital scheduling and video conferencing, securing these everyday workflows will be critical to preventing future abuse.