EXPLORE
← Back to Explore
sublimemediumRule

Attachment: ICS file with excessive custom properties

ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities.

MITRE ATT&CK

defense-evasion

Detection Query

type.inbound
and any(filter(attachments,
               .file_type in~ ('ics')
               or .content_type in ("text/calendar", "application/ics")
        ),
        regex.icount(file.parse_text(.).text,
                     '[\r\n]X-[^\r\n]+\x3b\s?[^\r\n]+:\s*[a-f0-9]{32,}'
        ) > 10
        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        or any(beta.file.parse_ics(.).events,
               length(filter(.raw_properties,
                             strings.istarts_with(.key, 'X-')
                             and regex.icontains(.value, '^[a-f0-9]{32,}$')
                      )
               ) > 10
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: ICS file with excessive custom properties"
description: "ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments,
                 .file_type in~ ('ics')
                 or .content_type in ("text/calendar", "application/ics")
          ),
          regex.icount(file.parse_text(.).text,
                       '[\r\n]X-[^\r\n]+\x3b\s?[^\r\n]+:\s*[a-f0-9]{32,}'
          ) > 10
          //
          // This rule makes use of a beta feature and is subject to change without notice
          // using the beta feature in custom rules is not suggested until it has been formally released
          //
          or any(beta.file.parse_ics(.).events,
                 length(filter(.raw_properties,
                               strings.istarts_with(.key, 'X-')
                               and regex.icontains(.value, '^[a-f0-9]{32,}$')
                        )
                 ) > 10
          )
  )

attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "ICS Phishing"
detection_methods:
  - "File analysis"
  - "Content analysis"
id: "3ac947bc-9db3-5505-9d7b-4cd22c9931fe"