← Back to Explore
sublimehighRule
Attachment: ICS with employee policy review lure
Detects ICS calendar attachments containing references to 'policy review' and 'secure access' terminology, which may be used in social engineering attacks to prompt users to take action under the guise of compliance or security requirements.
Detection Query
type.inbound
and any(filter(attachments,
.file_type in~ ('ics')
or .content_type in ("text/calendar", "application/ics")
),
any(file.explode(.),
.depth == 0
and any(.scan.strings.strings,
strings.icontains(., 'policy review')
)
and any(.scan.strings.strings,
strings.icontains(., 'secure access')
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: ICS with employee policy review lure"
description: "Detects ICS calendar attachments containing references to 'policy review' and 'secure access' terminology, which may be used in social engineering attacks to prompt users to take action under the guise of compliance or security requirements."
type: "rule"
severity: "high"
source: |
type.inbound
and any(filter(attachments,
.file_type in~ ('ics')
or .content_type in ("text/calendar", "application/ics")
),
any(file.explode(.),
.depth == 0
and any(.scan.strings.strings,
strings.icontains(., 'policy review')
)
and any(.scan.strings.strings,
strings.icontains(., 'secure access')
)
)
)
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "File analysis"
- "Content analysis"
id: "4eaf2ef3-1e65-5553-90dd-9d8507092d64"