← Back to Explore
sublimemediumRule
Non-RFC compliant calendar files from unsolicited sender
Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in $file_extensions_common_archives
or .file_extension == "ics"
or .content_type == "text/calendar"
)
and any(file.explode(.),
(.file_extension == "ics" or .flavors.mime == "text/calendar")
and any(.scan.ics.calendars,
any(.components,
.uid is null
and .type in (
'VEVENT',
'VJOURNAL',
'VFREEBUSY',
'VTODO'
)
)
)
)
)
and not profile.by_sender_email().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Non-RFC compliant calendar files from unsolicited sender"
description: "Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender."
type: "rule"
severity: "medium"
references:
- "https://mrd0x.com/spoofing-calendar-invites-using-ics-files/"
source: |
type.inbound
and any(attachments,
(
.file_extension in $file_extensions_common_archives
or .file_extension == "ics"
or .content_type == "text/calendar"
)
and any(file.explode(.),
(.file_extension == "ics" or .flavors.mime == "text/calendar")
and any(.scan.ics.calendars,
any(.components,
.uid is null
and .type in (
'VEVENT',
'VJOURNAL',
'VFREEBUSY',
'VTODO'
)
)
)
)
)
and not profile.by_sender_email().any_messages_benign
tags:
- "Attack surface reduction"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "File analysis"
- "Sender analysis"
id: "9859f100-5fa5-5bb5-9ca6-bce8925afe6d"