← Back to Explore
sublimehighRule
Attachment: ICS file with meeting prefix
Detects incoming messages with a single ICS calendar file attachment that has a filename starting with 'meeting_'.
Detection Query
type.inbound
and length(attachments) == 1
and any(filter(attachments,
.file_extension in~ ('ics')
or .content_type in ("application/ics", "text/calendar")
),
regex.icontains(.file_name, 'meeting_[a-zA-Z0-9]{5}\.')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: ICS file with meeting prefix"
description: "Detects incoming messages with a single ICS calendar file attachment that has a filename starting with 'meeting_'."
type: "rule"
severity: "high"
source: |
type.inbound
and length(attachments) == 1
and any(filter(attachments,
.file_extension in~ ('ics')
or .content_type in ("application/ics", "text/calendar")
),
regex.icontains(.file_name, 'meeting_[a-zA-Z0-9]{5}\.')
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "File analysis"
- "Header analysis"
id: "383a5810-0b85-55a8-ac9b-e7135823317b"