EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: ICS calendar file with QR code containing recipient email address

Detects calendar attachments (.ics files) containing QR codes that include the recipient's email address in the URL, URL fragment, or base64-encoded data. This technique is commonly used to personalize credential theft attacks by embedding the target's email address within calendar invitations.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
initial-accessdefense-evasion

Detection Query

type.inbound
and any(attachments,
        (
          .file_type == "ics"
          or (
            .file_extension == "ics"
            or .content_type in ("application/ics", "text/calendar")
          )
        )
        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        and any(beta.file.parse_ics(.).events,
                //
                // This rule makes use of a beta feature and is subject to change without notice
                // using the beta feature in custom rules is not suggested until it has been formally released
                //
                any(beta.scan_qr(file.html_screenshot(.description_html)).items,
                    strings.icontains(.url.url, recipients.to[0].email.email)
                    or any(strings.scan_base64(.url.url, format="url"),
                           strings.icontains(., recipients.to[0].email.email)
                    )
                    or any(strings.scan_base64(.url.fragment),
                           strings.icontains(., recipients.to[0].email.email)
                    )
                )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: ICS calendar file with QR code containing recipient email address"
description: "Detects calendar attachments (.ics files) containing QR codes that include the recipient's email address in the URL, URL fragment, or base64-encoded data. This technique is commonly used to personalize credential theft attacks by embedding the target's email address within calendar invitations."
type: "rule"
severity: "high"
source: |
    type.inbound
    and any(attachments,
            (
              .file_type == "ics"
              or (
                .file_extension == "ics"
                or .content_type in ("application/ics", "text/calendar")
              )
            )
            //
            // This rule makes use of a beta feature and is subject to change without notice
            // using the beta feature in custom rules is not suggested until it has been formally released
            //
            and any(beta.file.parse_ics(.).events,
                    //
                    // This rule makes use of a beta feature and is subject to change without notice
                    // using the beta feature in custom rules is not suggested until it has been formally released
                    //
                    any(beta.scan_qr(file.html_screenshot(.description_html)).items,
                        strings.icontains(.url.url, recipients.to[0].email.email)
                        or any(strings.scan_base64(.url.url, format="url"),
                               strings.icontains(., recipients.to[0].email.email)
                        )
                        or any(strings.scan_base64(.url.fragment),
                               strings.icontains(., recipients.to[0].email.email)
                        )
                    )
            )
    )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "QR code"
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "File analysis"
  - "QR code analysis"
  - "URL analysis"
  - "Content analysis"
id: "2101401a-607e-5243-9136-110d908a185f"