Attachment: ICS file with AWS Lambda URL

calendar Apr 1, 2026  ยท
Share on: linkedin copy

Detects ICS calendar files that contain references to AWS Lambda URLs, which may be used to deliver malicious content or redirect users to suspicious resources.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS file with AWS Lambda URL"
 2description: "Detects ICS calendar files that contain references to AWS Lambda URLs, which may be used to deliver malicious content or redirect users to suspicious resources."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ ('ics')
10            or .content_type in ("application/ics", "text/calendar")
11          )
12          and regex.icontains(file.parse_text(.).text, 'lambda-url')
13  )
14    
15
16attack_types:
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Evasion"
21  - "Free file host"
22detection_methods:
23  - "Content analysis"
24  - "File analysis"
25  - "URL analysis"
26id: "ecc8c457-f171-5f22-a3c1-dac281d7b3e0"
to-top