← Back to Explore
sublimemediumRule
Attachment: Calendar invite with Google redirect and invoice request
Detects calendar file attachments containing Google redirect URLs in the location field combined with invoice-related language in the message body.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ ('ics')
or .content_type in ("application/ics", "text/calendar")
)
and regex.icontains(file.parse_text(.).text,
'LOCATION[^:]*:.{1,300}google\.com/url'
)
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Request to View Invoice" and .confidence == "high"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Calendar invite with Google redirect and invoice request"
description: "Detects calendar file attachments containing Google redirect URLs in the location field combined with invoice-related language in the message body."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ ('ics')
or .content_type in ("application/ics", "text/calendar")
)
and regex.icontains(file.parse_text(.).text,
'LOCATION[^:]*:.{1,300}google\.com/url'
)
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Request to View Invoice" and .confidence == "high"
)
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Open redirect"
- "Social engineering"
detection_methods:
- "File analysis"
- "Natural Language Understanding"
- "URL analysis"
id: "8ea3cff8-f2ee-5190-8530-a79beab60a3b"