Attachment: Calendar invite with Google redirect and invoice request

calendar Apr 8, 2026  ยท
Share on: linkedin copy

Detects calendar file attachments containing Google redirect URLs in the location field combined with invoice-related language in the message body.

Sublime rule (View on GitHub)

 1name: "Attachment: Calendar invite with Google redirect and invoice request"
 2description: "Detects calendar file attachments containing Google redirect URLs in the location field combined with invoice-related language in the message body."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ ('ics')
10            or .content_type in ("application/ics", "text/calendar")
11          )
12          and regex.icontains(file.parse_text(.).text,
13                              'LOCATION[^:]*:.{1,300}google\.com/url'
14          )
15  )
16  and any(ml.nlu_classifier(body.current_thread.text).topics,
17          .name == "Request to View Invoice" and .confidence == "high"
18  )  
19
20attack_types:
21  - "Credential Phishing"
22  - "BEC/Fraud"
23tactics_and_techniques:
24  - "Open redirect"
25  - "Social engineering"
26detection_methods:
27  - "File analysis"
28  - "Natural Language Understanding"
29  - "URL analysis"
30id: "8ea3cff8-f2ee-5190-8530-a79beab60a3b"
to-top