sublimemediumRule

Attachment: ICS file with AWS Lambda URL

Detects ICS calendar files that contain references to AWS Lambda URLs, which may be used to deliver malicious content or redirect users to suspicious resources.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(attachments,
        (
          .file_extension in~ ('ics')
          or .content_type in ("application/ics", "text/calendar")
        )
        and regex.icontains(file.parse_text(.).text, 'lambda-url')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: ICS file with AWS Lambda URL"
description: "Detects ICS calendar files that contain references to AWS Lambda URLs, which may be used to deliver malicious content or redirect users to suspicious resources."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(attachments,
          (
            .file_extension in~ ('ics')
            or .content_type in ("application/ics", "text/calendar")
          )
          and regex.icontains(file.parse_text(.).text, 'lambda-url')
  )
  

attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Free file host"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "URL analysis"
id: "ecc8c457-f171-5f22-a3c1-dac281d7b3e0"