• Sublime Core Feed
High Severity

Attachment: Calendar invite from recently registered domain

Labels

Callback Phishing
Evasion
Social engineering
File analysis
Whois

Description

Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations.

References

No references.

Sublime Security
Created Sep 25th, 2025 • Last updated Sep 25th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) > 0
and all(attachments, .content_type in ("text/calendar", "application/ics"))
and any(attachments,
        any(file.explode(.),
            any(.scan.ics.calendars,
                any(.components,
                    any(.organizers,
                        network.whois(.mailbox.email.domain).days_old < 90
                    )
                )
            )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started