This detection rule identifies potentially malicious ICS calendar invitations that originate from internal organizational domains yet fail SPF (Sender Policy Framework) authentication. The rule specifically targets calendar invites that have embedded attachments with certain characteristics: they must contain a single attendee and organizer from within the same organization, ensuring that the invites are indeed targeted at legitimate company personnel. Upon inspection, if the ICS file includes any attachments that are not a calendar type or a permitted image file, this raises a flag. The rule examines whether embedded, non-ICS attachments reside within the ICS file, further ensuring that these attachments are indeed sent with the intention of malicious intent (such as phishing). Other conditions evaluated include analyzing the contents of the ICS file and checking its participants against organizational domain names. The severity is marked as high, given the potential for credential phishing, which could lead to data breaches or unauthorized access. The employed detection mechanisms include file analysis, email headers, and sender validation against known organizational domains to capture and combat tactics like spoofing and evasion.