Attachment: ICS calendar with embedded file from internal sender with SPF failure

calendar Oct 8, 2025  ·
Share on: linkedin copy

Detects calendar invitations (ICS files) from internal domains that fail SPF authentication and contain embedded attachments, with single attendee and organizer both from organizational domains.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS calendar with embedded file from internal sender with SPF failure"
 2description: "Detects calendar invitations (ICS files) from internal domains that fail SPF authentication and contain embedded attachments, with single attendee and organizer both from organizational domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain in $org_domains
 8  and not headers.auth_summary.dmarc.pass
 9  // has an ICS file
10  and any(attachments,
11          .file_extension == "ics" or .content_type == "text/calendar"
12  )
13  // and a single other attachment that isn't an ICS but is embedded in the ICS
14  and length(filter(attachments,
15                    not (
16                      .file_extension == "ics"
17                      or .content_type == "text/calendar"
18                      or .file_type in $file_types_images
19                    )
20                    and any(filter(attachments,
21                                   .file_extension == "ics"
22                                   or .content_type == "text/calendar"
23                            ),
24                            strings.contains(file.parse_text(.).text,
25                                             ..content_id
26                            )
27                    )
28             )
29  ) == 1
30  // exlode the ics file and look at the VEVENT file
31  and any(filter(attachments,
32                 .file_extension == "ics" or .content_type == "text/calendar"
33          ),
34          any(file.explode(.),
35              // attendees and org are both within org_domains
36              any(.scan.ics.calendars,
37                  any(.components,
38                      .type == "VEVENT"
39                      and length(.attendees) == 1
40                      and all(.attendees,
41                              .mailbox.email.domain.domain in $org_domains
42                      )
43                      and any(.organizers,
44                              .mailbox.email.domain.domain in $org_domains
45                      )
46                      and length(.attachments) > 0
47                      and all(.attachments,
48                              .type == "uri" and strings.starts_with(.uri, "CID:")
49                      )
50                  )
51              )
52          )
53  )  
54attack_types:
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Spoofing"
58  - "Evasion"
59detection_methods:
60  - "File analysis"
61  - "Header analysis"
62  - "Sender analysis"
63id: "d9ce9db8-0030-50d3-bdd5-aadb97313647"
to-top