heroui logo

Attachment: ICS file with links to newly registered domains

Sublime Rules

View Source
Summary
Detects inbound ICS calendar attachments that link to domains registered within the last 30 days. The rule identifies ICS files by file_type/extension or content_type and uses a beta ICS parser to extract events and associated links. For any link href_url.domain found inside an ICS event, it performs a Whois lookup and flags the attachment if the domain age is under 30 days. This targets social-engineering calendar phishing campaigns that attempt to redirect users to brand-new domains hosting malicious sites or payloads. Data sources involved include file analysis (attachments), URL analysis (links within ICS), and Whois-based domain-age checks. Note that the beta ICS parsing feature may change and could yield false positives if ICS content is misinterpreted or legitimately uses new domains.
Categories
  • Network
  • Endpoint
Data Sources
  • File
  • Network Traffic
  • Domain Name
Created: 2026-04-21