sublimemediumRule

Attachment: ICS file with non-Gregorian calendar scale

Detects ICS calendar attachments that use a non-standard calendar scale other than GREGORIAN, which may indicate malicious calendar files attempting to exploit calendar parsing vulnerabilities or bypass security filters.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(attachments,
        (
          .file_extension in~ ('ics')
          or .content_type in ("application/ics", "text/calendar")
        )
        and not strings.icontains(beta.file.parse_ics(.).scale, 'GREGORIAN')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: ICS file with non-Gregorian calendar scale"
description: "Detects ICS calendar attachments that use a non-standard calendar scale other than GREGORIAN, which may indicate malicious calendar files attempting to exploit calendar parsing vulnerabilities or bypass security filters."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(attachments,
          (
            .file_extension in~ ('ics')
            or .content_type in ("application/ics", "text/calendar")
          )
          and not strings.icontains(beta.file.parse_ics(.).scale, 'GREGORIAN')
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "File analysis"
  - "Content analysis"
id: "9315bbf5-c710-5ead-8a8e-5c7f8fb118dc"