Non-RFC compliant calendar files from unsolicited sender

 1name: "Non-RFC compliant calendar files from unsolicited sender"
 2description: "Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender."
 3type: "rule"
 4severity: "medium"
 5references:
 6  - "https://mrd0x.com/spoofing-calendar-invites-using-ics-files/"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          (
11            .file_extension in $file_extensions_common_archives
12            or .file_extension == "ics"
13            or .content_type == "text/calendar"
14          )
15          and any(file.explode(.),
16                  (.file_extension == "ics" or .flavors.mime == "text/calendar")
17                  and any(.scan.ics.calendars,
18                          any(.components,
19                              .uid is null
20                              and .type in (
21                                'VEVENT',
22                                'VJOURNAL',
23                                'VFREEBUSY',
24                                'VTODO'
25                              )
26                          )
27                  )
28          )
29  )
30  and not profile.by_sender_email().any_messages_benign  
31tags:
32 - "Attack surface reduction"
33tactics_and_techniques:
34  - "Evasion"
35  - "Social engineering"
36detection_methods:
37  - "Archive analysis"
38  - "Content analysis"
39  - "File analysis"
40  - "Sender analysis"
41id: "9859f100-5fa5-5bb5-9ca6-bce8925afe6d"