This rule targets inbound messages carrying ICS calendar attachments and flags those with suspicious product identifiers. It detects ICS files via multiple indicators (file_type, file_extension, or content_type) and then uses a beta ICS parser (beta.file.parse_ics) to extract the ICS product_id. The rule matches product_id against a pattern -//[a-z0-9]*[0-9][a-z0-9]*//EN, which signals automated generation or spoofing of calendar invitations. If any attachment’s ICS product_id matches this pattern, the rule triggers as a Credential Phishing scenario, leveraging ICS phishing / social engineering techniques. Detection methods include File analysis (attachment inspection) and Content analysis (ICS field parsing). The rule is scoped to inbound traffic and is categorized with medium severity. Note that the ICS parsing relies on a beta feature and could be subject to change or instability in future releases. Potential false positives may occur for legitimate ICS invites that inadvertently match the pattern, so corroborating indicators (sender reputation, other ICS fields) are advisable for remediation.