Non-RFC compliant calendar files from unsolicited sender
Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender.
Sublime rule (View on GitHub)
1name: "Non-RFC compliant calendar files from unsolicited sender"
2description: "Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender."
3type: "rule"
4severity: "medium"
5references:
6 - "https://mrd0x.com/spoofing-calendar-invites-using-ics-files/"
7source: |
8 type.inbound
9 and any(attachments,
10 (
11 .file_extension in $file_extensions_common_archives
12 or .file_extension == "ics"
13 or .content_type == "text/calendar"
14 )
15 and any(file.explode(.),
16 (.file_extension == "ics" or .flavors.mime == "text/calendar")
17 and any(.scan.ics.calendars,
18 any(.components,
19 .uid is null
20 and .type in (
21 'VEVENT',
22 'VJOURNAL',
23 'VFREEBUSY',
24 'VTODO'
25 )
26 )
27 )
28 )
29 )
30 and not profile.by_sender_email().any_messages_benign
31tags:
32 - "Attack surface reduction"
33tactics_and_techniques:
34 - "Evasion"
35 - "ICS Phishing"
36 - "Social engineering"
37detection_methods:
38 - "Archive analysis"
39 - "Content analysis"
40 - "File analysis"
41 - "Sender analysis"
42id: "9859f100-5fa5-5bb5-9ca6-bce8925afe6d"
Related rules
- Attachment: Calendar invite from recently registered domain
- Attachment: File execution via Javascript
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- Service abuse: Facebook business with action required subject
- Attachment: ICS file with links to newly registered domains