Attachment: HTML smuggling with eval and atob via calendar invite

calendar Sep 25, 2025  ยท
Share on: linkedin copy

Scans calendar invites (.ics files) to detect HTML smuggling techniques.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with eval and atob via calendar invite"
 2description: "Scans calendar invites (.ics files) to detect HTML smuggling techniques."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension =~ "ics"
10            or .content_type == "text/calendar"
11          )
12          // usage: onerror="eval(atob('
13          and regex.imatch(file.parse_text(.).text, ".*eval.{1,4}atob.*")
14          
15  )  
16attack_types:
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Evasion"
21  - "HTML smuggling"
22  - "Scripting"
23detection_methods:
24  - "File analysis"
25  - "HTML analysis"
26  - "Javascript analysis"
27id: "597c2edd-ff97-5ef6-bcf4-8957011edd9c"
to-top