Attachment: ICS file with excessive custom properties

calendar Jun 2, 2026  ·
Share on: linkedin copy

ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS file with excessive custom properties"
 2description: "ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments,
 8                 .file_type in~ ('ics')
 9                 or .content_type in ("text/calendar", "application/ics")
10          ),
11          regex.icount(file.parse_text(.).text,
12                       '[\r\n]X-[^\r\n]+\x3b\s?[^\r\n]+:\s*[a-f0-9]{32,}'
13          ) > 10
14          //
15          // This rule makes use of a beta feature and is subject to change without notice
16          // using the beta feature in custom rules is not suggested until it has been formally released
17          //
18          or any(beta.file.parse_ics(.).events,
19                 length(filter(.raw_properties,
20                               strings.istarts_with(.key, 'X-')
21                               and regex.icontains(.value, '^[a-f0-9]{32,}$')
22                        )
23                 ) > 10
24          )
25  )  
26
27attack_types:
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31  - "ICS Phishing"
32detection_methods:
33  - "File analysis"
34  - "Content analysis"
35id: "3ac947bc-9db3-5505-9d7b-4cd22c9931fe"
to-top