Attachment: ICS with employee policy review lure

calendar Mar 16, 2026  ·
Share on: linkedin copy

Detects ICS calendar attachments containing references to 'policy review' and 'secure access' terminology, which may be used in social engineering attacks to prompt users to take action under the guise of compliance or security requirements.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS with employee policy review lure"
 2description: "Detects ICS calendar attachments containing references to 'policy review' and 'secure access' terminology, which may be used in social engineering attacks to prompt users to take action under the guise of compliance or security requirements."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments,
 8                 .file_type in~ ('ics')
 9                 or .content_type in ("text/calendar", "application/ics")
10          ),
11          any(file.explode(.),
12              .depth == 0
13              and any(.scan.strings.strings,
14                      strings.icontains(., 'policy review')
15              )
16              and any(.scan.strings.strings,
17                      strings.icontains(., 'secure access')
18              )
19          )
20  )  
21
22attack_types:
23  - "Credential Phishing"
24  - "BEC/Fraud"
25tactics_and_techniques:
26  - "Evasion"
27  - "Social engineering"
28detection_methods:
29  - "File analysis"
30  - "Content analysis"
31id: "4eaf2ef3-1e65-5553-90dd-9d8507092d64"
to-top