Attachment: Calendar invite from recently registered domain

calendar Sep 25, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations.

Sublime rule (View on GitHub)

 1name: "Attachment: Calendar invite from recently registered domain"
 2description: "Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) > 0
 8  and all(attachments, .content_type in ("text/calendar", "application/ics"))
 9  and any(attachments,
10          any(file.explode(.),
11              any(.scan.ics.calendars,
12                  any(.components,
13                      any(.organizers,
14                          network.whois(.mailbox.email.domain).days_old < 90
15                      )
16                  )
17              )
18          )
19  )  
20tags:
21  - "Attack surface reduction"
22attack_types:
23  - "Callback Phishing"
24tactics_and_techniques:
25  - "Evasion"
26  - "Social engineering"
27detection_methods:
28  - "File analysis"
29  - "Whois"
30id: "d801521c-4678-5afa-8f93-d7162ef7a1d3"

Related rules

to-top