This rule detects inbound ICS calendar attachments that may be used to conceal malicious content or exploit calendar parsing. It targets attachments with ICS file types or content types (text/calendar, application/ics), then parses the file text to count occurrences of custom X- properties that include a parameter separator (;), followed by a value containing at least 32 hexadecimal characters. If the count exceeds 10, the rule triggers. The approach focuses on evasion by abusing calendar metadata to hide payloads or bypass simple checks in attachment handling.