ICS phishing (phishing with malicious calendar invites) gives adversaries two payload delivery methods in one attack: your inbox and your calendar. Sublime shuts both of them down at once.
ICS phishing is an attack that delivers malicious payloads within calendar invitations (.ics files).
These attacks take advantage of the fact that meetings are often automatically added to a calendar when an invitation is received. Email clients often auto-add the message body and attachments to the calendar event, so malicious payloads exist in both the calendar and inbox.
Calendar invites can bypass mail processing entirely, whether you have a SEG or API-based email security solution, so special handling is required to remediate the attack from the calendar.
The explosion and sophistication of AI-generated email attacks requires a solution that provides best-in-class efficacy, but also the ability to contextualize and respond to threats in real time. With Sublime, our team can prevent, detect, and respond to email-borne threats of today and the future.
Brad Jones
CISO, Snowflake
What makes ICS phishing so effective
ICS phishing puts a payload in your calendar – a place most email security solutions can’t reach.
Application spanning
Calendar applications and events are separate from email message processing, creating potential gaps in coverage.
Trust exploiting
An invite popping up on a calendar schedule doesn't trigger the same skepticism as a link in an email.
Platform persisting
When an email is deleted, the meeting that delivered it remains on the target’s calendar.
Tools for catching ICS phishing
Sublime uses a layered combination of AI, machine learning, and org-specific detections to catch these attacks.
When Sublime sends a message to quarantine, spam, or trash, it will also delete corresponding events from the calendar automatically – no additional steps required.
Attachment analysis
Sublime analyzes attachments, including meeting invitations, for suspicious indicators. This includes recursive analysis of archives, scanning all the files within, regardless of depth.
Link analysis
Sublime uses a browser emulation sandbox and machine learning to follow links and QR codes within messages and attachments through redirects to resolve the effective URL and collect a screenshot for further analysis.
Impersonation detection
Sublime analyzes messages and attachments with computer vision and Natural Language Understanding to detect brand impersonation, a common evasion tactic for ICS attacks.
Infrastructure metadata
Infrastructure metadata like free meeting platforms, free file hosts, free email providers, known-malicious domains, failed authentication, and more expose even the most well-crafted ICS phishing attack.
Sublime keeps ICS phish out of inboxes and off of calendars.
See how Sublime's comprehensive phishing protection service can safeguard your organization from sophisticated ICS phishing attacks.
Thank you!
Thank you for reaching out. A team member will get back to you shortly.
Oops! Something went wrong while submitting the form.
Latest on phishing
The latest news, research, and attack spotlights about phishing and phishing protection service solutions.
Sublime news
How Snyk uses Sublime's AI agents to stay ahead of email threats
April 8, 2026
Attack spotlight
April Fools' 2026: A good worker never blames their AI tools
ICS phishing is a phishing attack where adversaries embed malicious links inside meeting invites (.ics files) to bypass email security solutions. Meetings are typically added to a target’s calendar automatically upon receipt, making these attacks effective at delivering callback phishing attacks or links to credential harvesting sites.
How does Sublime detect and prevent ICS phishing?
Sublime uses Natural Language Understanding (NLU) to analyze message intent, Optical Character Recognition (OCR) to extract text from embedded images, computer vision to detect brand impersonation, and thousands of other signals. When an ICS phishing email is triaged, the malicious meeting is then also deleted from the target’s calendar.
When does Sublime triage malicious calendar invites?
If an email is sent to quarantine, spam, or trash, any meetings delivered within are also removed from the target’s calendar.
Why can't traditional email security handle ICS phishing?
Traditional security tools are unable to triage meetings that have already been added to calendars.
Now is the time
See how Sublime delivers autonomous protection by default, with control on demand.
.svg)
.avif)
