Attachment: ICS file with excessive custom properties

calendar Mar 17, 2026  ·
Share on: linkedin copy

ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS file with excessive custom properties"
 2description: "ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments,
 8                 .file_type in~ ('ics')
 9                 or .content_type in ("text/calendar", "application/ics")
10          ),
11          regex.icount(file.parse_text(.).text,
12                       '[\r\n]X-[^\r\n]+\x3b\s?[^\r\n]+:\s*[a-f0-9]{32,}'
13          ) > 10
14  )  
15
16attack_types:
17  - "Malware/Ransomware"
18tactics_and_techniques:
19  - "Evasion"
20detection_methods:
21  - "File analysis"
22  - "Content analysis"
23id: "3ac947bc-9db3-5505-9d7b-4cd22c9931fe"
to-top