Non-RFC Compliant Calendar Files from unsolicited sender

 1name: "Non-RFC Compliant Calendar Files from unsolicited sender"
 2description: "Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender."
 3type: "rule"
 4severity: "medium"
 5references:
 6  - "https://mrd0x.com/spoofing-calendar-invites-using-ics-files/"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          (
11            .file_extension in $file_extensions_common_archives
12            or .file_extension == "ics"
13            or .content_type == "text/calendar"
14          )
15          and any(file.explode(.),
16                  (.file_extension == "ics" or .flavors.mime == "text/calendar")
17                  and not any(.scan.strings.strings,
18                              strings.starts_with(., "UID:")
19                  )
20                  and any(.scan.strings.strings,
21                          strings.ilike(.,
22                                        "*VTODO*",
23                                        "*VJOURNAL*",
24                                        "*VFREEBUSY*",
25                                        "*VEVENT*"
26                          )
27                  )
28          )
29  )
30  and not profile.by_sender().solicited  
31tags:
32 - "Attack surface reduction"
33tactics_and_techniques:
34  - "Evasion"
35  - "Social engineering"
36detection_methods:
37  - "Archive analysis"
38  - "Content analysis"
39  - "File analysis"
40  - "Sender analysis"
41id: "9859f100-5fa5-5bb5-9ca6-bce8925afe6d"