Drop ICS phishing events from your calendar

ICS phishing (phishing with malicious calendar invites) gives adversaries two payload delivery methods in one attack: your inbox and your calendar. Sublime shuts both of them down at once.

See Sublime in action

The explosion and sophistication of AI-generated email attacks requires a solution that provides best-in-class efficacy, but also the ability to contextualize and respond to threats in real time. With Sublime, our team can prevent, detect, and respond to email-borne threats of today and the future.

ICS phishing
Brad Jones
CISO

ICS phishing in a nutshell

ICS phishing

ICS phishing is an attack that delivers malicious payloads within calendar invitations (.ics files).

These attacks take advantage of the fact that meetings are often automatically added to a calendar when an invitation is received. Email clients often auto-add the message body and attachments to the calendar event, so malicious payloads exist in both the calendar and inbox.

Calendar invites can bypass mail processing entirely, whether you have a SEG or API-based email security solution, so special handling is required to remediate the attack from the calendar.

What makes ICS phishing so effective

ICS phishing puts a payload in your calendar – a place most email security solutions can’t reach.

Application spanning

Calendar applications and events are separate from email message processing, creating potential gaps in coverage.

Trust exploiting

An invite popping up on a calendar schedule doesn't trigger the same skepticism as a link in an email.

Platform persisting

When an email is deleted, the meeting that delivered it remains on the target’s calendar.

Tools for catching ICS phishing

Sublime uses a layered combination of AI, machine learning, and org-specific detections to catch these attacks.

01

Automatically remediate malicious calendar entries

When Sublime sends a message to quarantine, spam, or trash, it will also delete corresponding events from the calendar automatically – no additional steps required.

02

Attachment analysis

Sublime analyzes attachments, including meeting invitations, for suspicious indicators. This includes recursive analysis of archives, scanning all the files within, regardless of depth.

03

Link analysis

Sublime uses a browser emulation sandbox and machine learning to follow links and QR codes within messages and attachments through redirects to resolve the effective URL and collect a screenshot for further analysis.

04

Impersonation detection

Sublime analyzes messages and attachments with computer vision and Natural Language Understanding to detect brand impersonation, a common evasion tactic for ICS attacks.

05

Infrastructure metadata

Infrastructure metadata like free meeting platforms, free file hosts, free email providers, known-malicious domains, failed authentication, and more expose even the most well-crafted ICS phishing attack.

Sublime keeps ICS phish out of inboxes and off of calendars.

See how Sublime's comprehensive phishing protection service can safeguard your organization from sophisticated ICS phishing attacks.

Select all applicable use cases
Thank you!

Thank you for reaching out.  A team member will get back to you shortly.

Oops! Something went wrong while submitting the form.

Latest on phishing

The latest news, research, and attack spotlights about phishing and phishing protection service solutions.

November 3, 2025
Attack spotlight

ICS phishing: Stopping a surge of malicious calendar invites

Ahry Jeon
Product Manager
Brandon Murphy
Detection
October 23, 2025
Attack spotlight

Direct Send abuse on Microsoft 365: Just another failed authentication

Peter Djordjevic
Detection
October 16, 2025
Attack spotlight

Facebook credential phishing with job scams impersonating well-known companies

Bryan Campbell
Detection
See all blog posts

Frequently asked questions

What is ICS phishing?
ICS phishing is a phishing attack where adversaries embed malicious links inside meeting invites (.ics files) to bypass email security solutions. Meetings are typically added to a target’s calendar automatically upon receipt, making these attacks effective at delivering callback phishing attacks or links to credential harvesting sites.
How does Sublime detect and prevent ICS phishing?
Sublime uses Natural Language Understanding (NLU) to analyze message intent, Optical Character Recognition (OCR) to extract text from embedded images, computer vision to detect brand impersonation, and thousands of other signals. When an ICS phishing email is triaged, the malicious meeting is then also deleted from the target’s calendar.
When does Sublime triage malicious calendar invites?
If an email is sent to quarantine, spam, or trash, any meetings delivered within are also removed from the target’s calendar.
Why can't traditional email security handle ICS phishing?
Traditional security tools are unable to triage meetings that have already been added to calendars.

Now is the time.

See how Sublime delivers autonomous protection by default, with control on demand.

Get started
Get a demo
Resources
BlogEvents
Community slack
Resource center
EML Analyzer
Sublime Core Feed
API reference
Documentation
Security at SublimeICS Phishing Playbook
©2025 Sublime Security, Inc.
TermsPrivacySecurityDisclosurePrivacy choices