Attachment: ICS file with meeting prefix

calendar Jan 26, 2026  ยท
Share on: linkedin copy

Detects incoming messages with a single ICS calendar file attachment that has a filename starting with 'meeting_'.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS file with meeting prefix"
 2description: "Detects incoming messages with a single ICS calendar file attachment that has a filename starting with 'meeting_'."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) == 1
 8  and any(filter(attachments,
 9                 .file_extension in~ ('ics')
10                 or .content_type in ("application/ics", "text/calendar")
11          ),
12          regex.icontains(.file_name, 'meeting_[a-zA-Z0-9]{5}\.')
13  )  
14attack_types:
15  - "BEC/Fraud"
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Social engineering"
19detection_methods:
20  - "File analysis"
21  - "Header analysis"
22id: "383a5810-0b85-55a8-ac9b-e7135823317b"
to-top