Attachment: ICS calendar with embedded file from internal sender with SPF failure
Detects calendar invitations (ICS files) from internal domains that fail SPF authentication and contain embedded attachments, with single attendee and organizer both from organizational domains.
Sublime rule (View on GitHub)
1name: "Attachment: ICS calendar with embedded file from internal sender with SPF failure"
2description: "Detects calendar invitations (ICS files) from internal domains that fail SPF authentication and contain embedded attachments, with single attendee and organizer both from organizational domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and sender.email.domain.domain in $org_domains
8 and not headers.auth_summary.dmarc.pass
9 // has an ICS file
10 and any(attachments,
11 .file_extension == "ics" or .content_type == "text/calendar"
12 )
13 // and a single other attachment that isn't an ICS but is embedded in the ICS
14 and length(filter(attachments,
15 not (
16 .file_extension == "ics"
17 or .content_type == "text/calendar"
18 or .file_type in $file_types_images
19 )
20 and any(filter(attachments,
21 .file_extension == "ics"
22 or .content_type == "text/calendar"
23 ),
24 strings.contains(file.parse_text(.).text,
25 ..content_id
26 )
27 )
28 )
29 ) == 1
30 // exlode the ics file and look at the VEVENT file
31 and any(filter(attachments,
32 .file_extension == "ics" or .content_type == "text/calendar"
33 ),
34 any(file.explode(.),
35 // attendees and org are both within org_domains
36 any(.scan.ics.calendars,
37 any(.components,
38 .type == "VEVENT"
39 and length(.attendees) == 1
40 and all(.attendees,
41 .mailbox.email.domain.domain in $org_domains
42 )
43 and any(.organizers,
44 .mailbox.email.domain.domain in $org_domains
45 )
46 and length(.attachments) > 0
47 and all(.attachments,
48 .type == "uri" and strings.starts_with(.uri, "CID:")
49 )
50 )
51 )
52 )
53 )
54attack_types:
55 - "Credential Phishing"
56tactics_and_techniques:
57 - "Spoofing"
58 - "Evasion"
59detection_methods:
60 - "File analysis"
61 - "Header analysis"
62 - "Sender analysis"
63id: "d9ce9db8-0030-50d3-bdd5-aadb97313647"