Attachment: ICS with embedded document

calendar Sep 22, 2025  ยท
Share on: linkedin copy

ICS invite contains an embedded document.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS with embedded document"
 2description: |
 3    ICS invite contains an embedded document.
 4references:
 5  - "https://delivr.to/payloads?id=2212f8db-5a21-4b36-a15e-4097adbc136d"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_extension == "ics"
12          and strings.ilike(file.parse_text(.).text,
13                            '*ATTACH;ENCODING=*;VALUE=BINARY*'
14          )
15          and (
16            strings.ilike(file.parse_text(.).text, '*FILENAME=*.doc*')
17            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.dot*')
18            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.pp*')
19            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.wbk*')
20            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.xl*')
21            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.html*')
22          )
23  )  
24
25attack_types:
26  - "Malware/Ransomware"
27tactics_and_techniques:
28  - "Evasion"
29detection_methods:
30  - "File analysis"
31id: "8f9957d9-a06a-5c5a-83af-2dc5c25bed86"
to-top