Attachment: ICS calendar file with suspicious UID domain
Detects inbound messages containing ICS calendar attachments where the event UID property ends with a specific domain (@example.com). Malicious actors may use calendar invites to socially engineer recipients into accepting fraudulent meetings or following malicious instructions embedded in calendar events.
Sublime rule (View on GitHub)
1name: "Attachment: ICS calendar file with suspicious UID domain"
2description: "Detects inbound messages containing ICS calendar attachments where the event UID property ends with a specific domain (@example.com). Malicious actors may use calendar invites to socially engineer recipients into accepting fraudulent meetings or following malicious instructions embedded in calendar events."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_type == "ics"
10 or .file_extension == "ics"
11 or .content_type in ("application/ics", "text/calendar")
12 )
13 //
14 // This rule makes use of a beta feature and is subject to change without notice
15 // using the beta feature in custom rules is not suggested until it has been formally released
16 //
17 and any(beta.file.parse_ics(.).events,
18 any(.raw_properties,
19 .key == "UID" and strings.iends_with(.value, "@example.com")
20 )
21 )
22 )
23tags:
24 - "Attack surface reduction"
25attack_types:
26 - "ICS Phishing"
27 - "Credential Phishing"
28 - "BEC/Fraud"
29tactics_and_techniques:
30 - "Social engineering"
31detection_methods:
32 - "File analysis"
33 - "Content analysis"
34id: "cbe06f4f-f041-501b-bfc0-957cd545cd83"