Attachment: ICS file with non-Gregorian calendar scale

calendar Nov 4, 2025  ·
Share on: linkedin copy

Detects ICS calendar attachments that use a non-standard calendar scale other than GREGORIAN, which may indicate malicious calendar files attempting to exploit calendar parsing vulnerabilities or bypass security filters.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS file with non-Gregorian calendar scale"
 2description: "Detects ICS calendar attachments that use a non-standard calendar scale other than GREGORIAN, which may indicate malicious calendar files attempting to exploit calendar parsing vulnerabilities or bypass security filters."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ ('ics')
10            or .content_type in ("application/ics", "text/calendar")
11          )
12          and not strings.icontains(beta.file.parse_ics(.).scale, 'GREGORIAN')
13  )  
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Evasion"
18detection_methods:
19  - "File analysis"
20  - "Content analysis"
21id: "9315bbf5-c710-5ead-8a8e-5c7f8fb118dc"
to-top