Attachment: Calendar file with invisible Unicode characters

calendar Dec 15, 2025  ·
Share on: linkedin copy

Detects calendar (.ics) attachments containing suspicious invisible Unicode characters, which may be used to hide malicious content or bypass security filters. The rule triggers on messages with calendar-related keywords in the subject or body.

Sublime rule (View on GitHub)

 1name: "Attachment: Calendar file with invisible Unicode characters"
 2description: "Detects calendar (.ics) attachments containing suspicious invisible Unicode characters, which may be used to hide malicious content or bypass security filters. The rule triggers on messages with calendar-related keywords in the subject or body."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and not subject .is_reply
 8  and any(attachments, .file_extension in~ ('ics'))
 9  and any(attachments,
10          any(file.explode(.),
11              .file_extension in~ ('ics')
12              and regex.icontains(.scan.strings.raw,
13                                  '[\x{E0000}-\x{E007F}\x{E0100}-\x{E01EF}\x{2062}\x{2064}]{8,}'
14              )
15          )
16  )
17  and (
18    regex.icontains(subject.subject, '(calendar|meeting|event|appointment)')
19    or regex.icontains(body.current_thread.text,
20                       '(calendar|meeting|event|appointment)'
21    )
22    or any(attachments, .content_type in~ ("text/calendar"))
23  )  
24
25attack_types:
26  - "BEC/Fraud"
27  - "Credential Phishing"
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31detection_methods:
32  - "File analysis"
33  - "Content analysis"
34id: "050fceac-98fa-564c-8d3f-34778949dae0"
to-top