← Back to Explore
sublimehighRule
Attachment: Calendar invite from recently registered domain
Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations.
Detection Query
type.inbound
and length(attachments) > 0
and all(attachments, .content_type in ("text/calendar", "application/ics"))
and any(attachments,
any(file.explode(.),
any(.scan.ics.calendars,
any(.components,
any(.organizers,
network.whois(.mailbox.email.domain).days_old < 90
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: Calendar invite from recently registered domain"
description: "Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations."
type: "rule"
severity: "high"
source: |
type.inbound
and length(attachments) > 0
and all(attachments, .content_type in ("text/calendar", "application/ics"))
and any(attachments,
any(file.explode(.),
any(.scan.ics.calendars,
any(.components,
any(.organizers,
network.whois(.mailbox.email.domain).days_old < 90
)
)
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "File analysis"
- "Whois"
id: "d801521c-4678-5afa-8f93-d7162ef7a1d3"