Attachment: ICS calendar file with suspicious UID domain

Detects inbound messages containing ICS calendar attachments where the event UID property ends with a specific domain (@example.com). Malicious actors may use calendar invites to socially engineer recipients into accepting fraudulent meetings or following malicious instructions embedded in calendar events.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS calendar file with suspicious UID domain"
 2description: "Detects inbound messages containing ICS calendar attachments where the event UID property ends with a specific domain (@example.com). Malicious actors may use calendar invites to socially engineer recipients into accepting fraudulent meetings or following malicious instructions embedded in calendar events."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_type == "ics"
10            or .file_extension == "ics"
11            or .content_type in ("application/ics", "text/calendar")
12          )
13          //
14          // This rule makes use of a beta feature and is subject to change without notice
15          // using the beta feature in custom rules is not suggested until it has been formally released
16          //
17          and any(beta.file.parse_ics(.).events,
18                  any(.raw_properties,
19                      .key == "UID" and strings.iends_with(.value, "@example.com")
20                  )
21          )
22  )      
23tags:
24  - "Attack surface reduction"
25attack_types:
26  - "ICS Phishing"
27  - "Credential Phishing"
28  - "BEC/Fraud"
29tactics_and_techniques:
30  - "Social engineering"
31detection_methods:
32  - "File analysis"
33  - "Content analysis"
34id: "cbe06f4f-f041-501b-bfc0-957cd545cd83"

Related rules

to-top