heroui logo

Attachment: ICS calendar file with suspicious UID domain

Sublime Rules

View Source
Summary
Detects inbound emails containing ICS calendar attachments where any ICS event's UID property ends with the domain @example.com. The rule leverages a beta ICS parser to extract ICS events from the attachment (files with ics extension or content type application/ics/text/calendar) and inspects each event's raw_properties for a UID key whose value ends with "@example.com". This pattern can indicate attacker-controlled calendar invites used for social engineering or credential phishing (ICS phishing/BEC). The rule is file-content and content-analysis based, relying on a parsed ICS structure rather than simple string matching. Note: The ICS parsing feature is experimental (beta) and subject to change; customize the domain indicator as needed for production. False positives may occur for legitimate invites from the same domain or for benign calendar events.
Categories
  • Endpoint
  • Application
Data Sources
  • File
Created: 2026-07-02