Attachment: HTML smuggling with eval and atob via calendar invite

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Scans calendar invites (.ics files) to detect HTML smuggling techniques.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with eval and atob via calendar invite"
 2description: "Scans calendar invites (.ics files) to detect HTML smuggling techniques."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (.file_extension =~ "ics" or .content_type == "text/calendar")
 9          // usage: onerror="eval(atob('
10          and regex.imatch(file.parse_text(.).text, ".*eval.{1,4}atob.*")
11  )  
12attack_types:
13  - "Credential Phishing"
14  - "Malware/Ransomware"
15tactics_and_techniques:
16  - "Evasion"
17  - "HTML smuggling"
18  - "Scripting"
19detection_methods:
20  - "File analysis"
21  - "HTML analysis"
22  - "Javascript analysis"
23id: "597c2edd-ff97-5ef6-bcf4-8957011edd9c"
to-top