Attachment: ICS calendar file with QR code containing recipient email address

calendar Apr 20, 2026  ·
Share on: linkedin copy

Detects calendar attachments (.ics files) containing QR codes that include the recipient's email address in the URL, URL fragment, or base64-encoded data. This technique is commonly used to personalize credential theft attacks by embedding the target's email address within calendar invitations.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS calendar file with QR code containing recipient email address"
 2description: "Detects calendar attachments (.ics files) containing QR codes that include the recipient's email address in the URL, URL fragment, or base64-encoded data. This technique is commonly used to personalize credential theft attacks by embedding the target's email address within calendar invitations."
 3type: "rule"
 4severity: "high"
 5source: |
 6    type.inbound
 7    and any(attachments,
 8            (
 9              .file_type == "ics"
10              or (
11                .file_extension == "ics"
12                or .content_type in ("application/ics", "text/calendar")
13              )
14            )
15            //
16            // This rule makes use of a beta feature and is subject to change without notice
17            // using the beta feature in custom rules is not suggested until it has been formally released
18            //
19            and any(beta.file.parse_ics(.).events,
20                    //
21                    // This rule makes use of a beta feature and is subject to change without notice
22                    // using the beta feature in custom rules is not suggested until it has been formally released
23                    //
24                    any(beta.scan_qr(file.html_screenshot(.description_html)).items,
25                        strings.icontains(.url.url, recipients.to[0].email.email)
26                        or any(strings.scan_base64(.url.url, format="url"),
27                               strings.icontains(., recipients.to[0].email.email)
28                        )
29                        or any(strings.scan_base64(.url.fragment),
30                               strings.icontains(., recipients.to[0].email.email)
31                        )
32                    )
33            )
34    )    
35attack_types:
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "QR code"
39  - "Social engineering"
40  - "Evasion"
41detection_methods:
42  - "File analysis"
43  - "QR code analysis"
44  - "URL analysis"
45  - "Content analysis"
46id: "2101401a-607e-5243-9136-110d908a185f"
to-top