This rule detects inbound messages that contain ICS calendar attachments and specifically targets calendar-based social engineering aimed at credential phishing. It triggers when an ICS file (attachment with file_type ics, file_extension ics, or content_type application/ics/text/calendar) is present and the parsed ICS content reveals an event property UID that matches the recipient's email address (checking the first recipient in the message). The rule uses a beta ICS parser to extract events and their raw_properties, then asserts any event where raw_property key equals UID and value equals recipients.to[0].email.email. If a match is found, the rule fires with high severity. This approach helps identify phishing invites that attempt to appear legitimate by embedding a UID tied to the intended recipient. Notes: the rule relies on a beta feature for ICS parsing, which is subject to change and not recommended for production until formally released. Potential false positives can occur if legitimate ICS UIDs coincide with a recipient’s address or if recipient extraction is ambiguous. Detection methods include File analysis (attachment detection) and Content analysis (parsing ICS properties and comparing to recipient data).