Agree with other comments here - no need for the user to engage with anything from the malicious email, only to continue using their account with some LLM interactions. The account is poisoned even for known safe self initiated interactions.