Attachment: ICS calendar file with suspicious product identifier

calendar May 29, 2026  ·
Share on: linkedin copy

Detects inbound messages containing ICS calendar attachments that have product identifiers matching patterns commonly associated with malicious calendar invitations. The rule identifies ICS files through multiple detection methods and analyzes the product_id field for suspicious formatting that may indicate automated generation or spoofing attempts.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS calendar file with suspicious product identifier"
 2description: "Detects inbound messages containing ICS calendar attachments that have product identifiers matching patterns commonly associated with malicious calendar invitations. The rule identifies ICS files through multiple detection methods and analyzes the product_id field for suspicious formatting that may indicate automated generation or spoofing attempts."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_type == "ics"
10            or .file_extension == "ics"
11            or .content_type in ("application/ics", "text/calendar")
12          )
13          //
14          // This rule makes use of a beta feature and is subject to change without notice
15          // using the beta feature in custom rules is not suggested until it has been formally released
16          //
17          and regex.icontains(beta.file.parse_ics(.).product_id,
18                              '-//[a-z0-9]*[0-9][a-z0-9]*//EN'
19          )
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Evasion"
25  - "Social engineering"
26  - "ICS Phishing"
27detection_methods:
28  - "File analysis"
29  - "Content analysis"
30id: "b59b702b-85d5-5555-b75f-1b1704fad3d4"
to-top