Attachment: ICS file with links to newly registered domains

calendar Apr 20, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects calendar invite attachments (ICS files) containing links to domains registered within the last 30 days, which may indicate malicious calendar invitations designed to redirect users to suspicious websites.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS file with links to newly registered domains"
 2description: "Detects calendar invite attachments (ICS files) containing links to domains registered within the last 30 days, which may indicate malicious calendar invitations designed to redirect users to suspicious websites."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_type == "ics"
10            or (
11              .file_extension == "ics"
12              or .content_type in ("application/ics", "text/calendar")
13            )
14          )
15          //
16          // This rule makes use of a beta feature and is subject to change without notice
17          // using the beta feature in custom rules is not suggested until it has been formally released
18          //
19          and any(beta.file.parse_ics(.).events,
20                  any(.links, network.whois(.href_url.domain).days_old < 30)
21          )
22  )  
23
24tags:
25 - "Attack surface reduction"
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Social engineering"
30detection_methods:
31  - "File analysis"
32  - "URL analysis"
33  - "Whois"
34id: "9d8ea98f-4a4b-5e35-9c3f-d3a3ac11bdc4"

Related rules

to-top