Detects inbound ICS calendar attachments that link to domains registered within the last 30 days. The rule identifies ICS files by file_type/extension or content_type and uses a beta ICS parser to extract events and associated links. For any link href_url.domain found inside an ICS event, it performs a Whois lookup and flags the attachment if the domain age is under 30 days. This targets social-engineering calendar phishing campaigns that attempt to redirect users to brand-new domains hosting malicious sites or payloads. Data sources involved include file analysis (attachments), URL analysis (links within ICS), and Whois-based domain-age checks. Note that the beta ICS parsing feature may change and could yield false positives if ICS content is misinterpreted or legitimately uses new domains.