Attachment: ICS calendar file with base64 encoded recipient address in URL parameters

 1name: "Attachment: ICS calendar file with base64 encoded recipient address in URL parameters"
 2description: "Detects inbound messages containing ICS calendar attachments where event links have multiple URL parameters, and the base64 decoded combination of those parameters matches the recipient's email address. This technique may be used to personalize malicious links or track specific targets."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_type == "ics"
10            or .file_extension == "ics"
11            or .content_type in ("application/ics", "text/calendar")
12          )
13          //
14          // This rule makes use of a beta feature and is subject to change without notice
15          // using the beta feature in custom rules is not suggested until it has been formally released
16          //
17          and any(beta.file.parse_ics(.).events,
18                  any(filter(.links, length(.href_url.query_params_decoded) > 1),
19                      any(strings.scan_base64(strings.concat(coalesce(flatten(values(.display_url.query_params_decoded
20                                                                              )
21                                                                      )[0],
22                                                                      ""
23                                                             ),
24                                                             coalesce(flatten(values(.display_url.query_params_decoded
25                                                                              )
26                                                                      )[1],
27                                                                      ""
28                                                             ),
29                                                             coalesce(flatten(values(.display_url.query_params_decoded
30                                                                              )
31                                                                      )[2],
32                                                                      ""
33                                                             ),
34                                                             coalesce(flatten(values(.display_url.query_params_decoded
35                                                                              )
36                                                                      )[3],
37                                                                      ""
38                                                             ),
39                                                             coalesce(flatten(values(.display_url.query_params_decoded
40                                                                              )
41                                                                      )[4],
42                                                                      ""
43                                                             ),
44                                                             coalesce(flatten(values(.display_url.query_params_decoded
45                                                                              )
46                                                                      )[5],
47                                                                      ""
48                                                             )
49                                              )
50                          ),
51                          . == recipients.to[0].email.email
52                      )
53                  )
54          )
55  ) 
56    
57attack_types:
58  - "Credential Phishing"
59tactics_and_techniques:
60  - "Evasion"
61  - "Social engineering"
62  - "ICS Phishing"
63detection_methods:
64  - "File analysis"
65  - "URL analysis"
66  - "Content analysis"
67id: "472a6b15-7f3b-5daf-a968-3d138b70a2a5"