Attachment: ICS calendar file with recipient address in UID field

Apr 20, 2026 ·

Detects inbound messages containing ICS calendar attachments where the UID property matches the recipient's email address, indicating potential calendar-based social engineering.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS calendar file with recipient address in UID field"
 2description: "Detects inbound messages containing ICS calendar attachments where the UID property matches the recipient's email address, indicating potential calendar-based social engineering."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_type == "ics"
10            or (
11              .file_extension == "ics"
12              or .content_type in ("application/ics", "text/calendar")
13            )
14          )
15          //
16          // This rule makes use of a beta feature and is subject to change without notice
17          // using the beta feature in custom rules is not suggested until it has been formally released
18          //
19          and any(beta.file.parse_ics(.).events,
20                  any(.raw_properties,
21                      .key == "UID" and .value == recipients.to[0].email.email
22                  )
23          )
24  )
25    
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Social engineering"
30detection_methods:
31  - "File analysis"
32  - "Content analysis"
33id: "507d814e-1db5-56ce-929f-13c4c78b345f"