Technical summary: This rule detects targeted phishing attempts delivered as calendar attachments. It focuses on ICS calendar files (attachments with .ics extension or MIME types application/ics or text/calendar) and analyzes the ICS content to locate a LOCATION directive that contains a Google redirect URL (google.com/url) within 1–300 characters after the LOCATION field. In addition, it analyzes the email body using an NLU classifier to identify a high-confidence topic named “Request to View Invoice.” The rule fires when both conditions are satisfied, indicating a potential credential phishing or business email compromise (BEC) attempt that uses an open redirect in a calendar invite to lure victims to invoice-related content. Detection methods include File analysis (ICS attachment parsing), Natural Language Understanding (invoice-related topic detection in the body), and URL analysis (redirect URL in the ICS LOCATION). The rule helps mitigate invoice-themed social engineering delivered via calendar invites and redirects. Evasion possibilities include embedding the redirect in non-ICS attachments, obfuscating the LOCATION field, using alternative domains, or employing longer or multi-step redirects that bypass simple pattern checks. Potential enhancements could include broader invoice-topic coverage, additional redirect domains, and multilingual NLU support for non-English emails.