← Back to Explore
sublimehighRule
Attachment: ICS calendar file with recipient address in UID field
Detects inbound messages containing ICS calendar attachments where the UID property matches the recipient's email address, indicating potential calendar-based social engineering.
Detection Query
type.inbound
and any(attachments,
(
.file_type == "ics"
or (
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(beta.file.parse_ics(.).events,
any(.raw_properties,
.key == "UID" and .value == recipients.to[0].email.email
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: ICS calendar file with recipient address in UID field"
description: "Detects inbound messages containing ICS calendar attachments where the UID property matches the recipient's email address, indicating potential calendar-based social engineering."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_type == "ics"
or (
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(beta.file.parse_ics(.).events,
any(.raw_properties,
.key == "UID" and .value == recipients.to[0].email.email
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "File analysis"
- "Content analysis"
id: "507d814e-1db5-56ce-929f-13c4c78b345f"